允许访问使用者账户

This topic describes how a consumer can allow a Snowflake Native App to create and access objects in their account. This includes granting the privileges requested by an app or enabling access to existing objects by using references. It also describes how to allow an app to use external and Apache Iceberg™ tables that a provider shares in the app.

应用程序所请求的权限和引用

In a simple Snowflake Native App, all of the objects required by the app are created inside the application object when the setup script runs during installation. All of the objects required by the app are created in and accessed within the installed app. The consumer does not need to perform any actions in their account.

但是,某些应用程序可能会要求使用者在其账户中执行以下类型的操作:

  • 创建数据库或仓库。
  • 执行任务。
  • 访问表等现有对象。

There are two types of access that a Snowflake Native App can request:

  • Privileges that allow the app to perform some account-level operations. An app can request the following global privileges:

    • EXECUTE TASK
    • EXECUTE MANAGED TASK
    • CREATE WAREHOUSE
    • MANAGE WAREHOUSES
    • CREATE DATABASE
    • CREATE COMPUTE POOL
    • BIND SERVICE ENDPOINT
    • READ SESSION

    Some apps might also request the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database. See 授予 SNOWFLAKE 数据库的 IMPORTED PRIVILEGES 权限.

  • References that allow the app to access objects that already exist in the consumer account and are outside the application object. A provider defines the references required by the app in the manifest file.

    After installing the app, the consumer can authorize access on an object by creating a reference that associates the object to the app.

应用程序可以请求访问以下类型的对象及其相应的权限:

| | 对象类型 | 允许的权限 | | --------------- | ---------------------------------------------------- | | | TABLE | SELECT、INSERT、UPDATE、DELETE、TRUNCATE、REFERENCES | | | VIEW | SELECT、REFERENCES | | | EXTERNAL TABLE | SELECT、REFERENCES | | | FUNCTION | USAGE | | | PROCEDURE | USAGE | | | WAREHOUSE | MODIFY、MONITOR、USAGE、OPERATE | | | API INTEGRATION | USAGE |

A consumer can approve these requests using Snowsight or by running the SQL commands.

Note

如果您不授予所请求的权限或将所请求对象的引用关联到应用程序,则应用程序的某些部分可能无法正常运行。

使用 Snowsight 管理访问请求

If a provider implements a user interface in a Snowflake Native App, a consumer may perform the following using Snowsight.

  • 查看和授予全局权限。
  • 授予对使用者账户中现有对象的访问权限。

授予全局权限

  1. Sign in to Snowsight.

  2. In the navigation menu, select Catalog » Apps.

  3. 选择应用程序。

  4. Select the Settings icon in the toolbar.

  5. Select the Privileges tab.

    The account level permissions requested by the app appear under Account level privileges

  6. In the Account level privileges pane, select the Edit icon and then move the slider for each privilege that you want to grant.

  7. Select Update Privileges.

授权访问特定对象

If a provider implements a user interface for a Snowflake Native App, a consumer can use Snowsight to authorize access on objects in their account.

  1. Sign in to Snowsight.
  2. In the navigation menu, select Catalog » Apps.
  3. 选择应用程序。
  4. Select the Settings icon in the toolbar.
  5. Select the Privileges tab.
  6. In the Object access privileges pane, select Add next to the object to which you want to authorize access.
  7. Select Select Data and choose the data product to which you want to authorize access.
  8. Select Save.

撤销对象的权限和访问权限

如果撤消权限或移除对象的访问权限,可能会导致应用程序变得不稳定或停止运行。

  1. Sign in to Snowsight.
  2. In the navigation menu, select Catalog » Apps.
  3. 选择应用程序。
  4. Select the Settings icon in the toolbar.
  5. Select the Privileges tab.
  6. In the Account level privileges pane, select the Edit icon and then move the slider for the privilege you want to revoke.
  7. Select Update Privileges.

使用 SQL 命令管理应用程序的权限

如果您的提供商没有实现授予权限的接口,则必须使用 SQL 命令来管理应用程序访问请求。

查看应用程序请求的权限

如果提供商指定应用程序所需的权限,权限请求将包含在要安装的应用程序内。您可以在安装应用程序后查看这些权限。

To view the privileges required by an app, run the SHOW PRIVILEGES command as shown in the following example:

SHOW PRIVILEGES IN APPLICATION hello_snowflake_app;

Grant privileges to a Snowflake Native App

使用者确定应用程序请求的权限后,可以向应用程序授予这些权限。

For example, to grant the EXECUTE TASK privilege to an app, run the GRANT <privileges> … TO ROLE command as shown in the following example:

GRANT EXECUTE TASK ON ACCOUNT TO APPLICATION hello_snowflake_app;

Grant the MANAGE WAREHOUSES privilege to a Snowflake Native App

The MANAGE WAREHOUSES privilege allows an app to create, modify, and use warehouses within the consumer account. To grant the MANAGE WAREHOUSES privilege to an app, use the GRANT <privileges> … TO ROLE as shown in the following example:

GRANT MANAGE WAREHOUSES ON ACCOUNT TO APPLICATION hello_snowflake_app;

授予 SNOWFLAKE 数据库的 IMPORTED PRIVILEGES 权限

Some apps might request that a consumer grants the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database in their account. This privilege can only be granted using SQL commands. It cannot be granted using Snowsight. If an app requires this privilege, the provider should communicate this requirement to the consumer, for example, in the README file of the app.

要授予 SNOWFLAKE 数据库的 IMPORT 权限,请运行以下命令:

GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO APPLICATION hello_snowflake_app;

Note

IMPORTED PRIVILEGES 权限允许应用程序访问与关联到使用者账户的使用情况和成本有关的信息。在授予此权限之前,使用者应确保希望与应用程序共享此信息。

手动授予对象的访问权限

When a provider defines a reference to an object in the manifest file, this reference definition is included as part of the installed app. A consumer can create a reference to an object in their account to authorize the app to access the object. If the provider did not create a user interface for allowing access to objects in the consumer account, the consumer can authorize access manually.

The consumer can create a reference for an object to associate with the app if they have the requested privileges on the object. For example, if SELECT and INSERT privileges are required for an object, for example a table, the consumer must create the reference using a role that has the SELECT and INSERT privileges on the table. To view the object types and the specific required privilege grants for each object, see View the References Requested by an App.

Note

引用不会授予对象的任何权限。如果用于创建引用的角色失去了对象的权限,则引用将不再有效。使用者必须执行以下操作之一:

  • 为创建引用的角色恢复所需权限。
  • 使用所需对象权限的角色重新创建引用。

查看应用程序所请求的引用

A consumer can view the references requested by an app by running the SHOW REFERENCES command as shown in the following example:

SHOW REFERENCES IN APPLICATION hello_snowflake_app;

此命令显示在应用程序中定义的所有引用的列表。它还显示使用者角色要创建引用所必须具有的对象权限。

创建引用并将引用关联到应用程序

After viewing the references requested by the app, a consumer can create the reference by running the SYSTEM$REFERENCE system function as shown in the following example:

SELECT SYSTEM$REFERENCE('table', 'db1.schema1.table1', 'persistent', 'select', 'insert');

此命令会创建引用并返回对象的标识符。标识符类似于以下示例:

ENT_REF_TABLE_16617302895522_2CDD20F5C047A5B87B2CE36F6837715786AF9F2D

使用者将此标识符传递给回调存储过程,以将引用关联到应用程序。

Note

使用者必须为应用程序请求的每个引用运行此命令。

To associate a reference to an app, the consumer must pass the identifier returned by calling the SYSTEM$REFERENCE system function to a callback stored procedure. A callback procedure is a stored procedure that the provider creates in the Snowflake Native App to associates a reference to the app.

要使用回调过程,请运行以下命令:

CALL app.config.register_single_reference(
  'consumer_table', 'ADD', 'ENT_REF_TABLE_16617302895522_2CDD20F5C047A5B87B2CE36F6837715786AF9F2D');

In this example, the register_single_reference() stored procedure associates the reference with the identifier ENT_REF_TABLE_16617302895522_2CDD20F5C047A5B87B2CE36F6837715786AF9F2D to the app.

Note

提供商可以在应用程序中包含不同的回调过程。应在应用程序的 README 文件中加以指定。

只需一步即可创建引用并将其关联至应用程序

After viewing the references requested by the application, a consumer can create the reference and associate it to the app by passing the SYSTEM$REFERENCE system function as an argument to a callback stored procedure.

以下示例显示了将 SYSTEM$REFERENCE 系统函数作为实参传递到回调存储过程所用的语法:

CALL app.config.register_single_reference(
 'consumer_table', 'ADD', SYSTEM$REFERENCE('table', 'db1.schema1.table1',
 'PERSISTENT', 'SELECT', 'INSERT'));

此示例创建引用,并将标识符传递给回调函数,从而将引用关联到应用程序。

Enable external and Apache Iceberg™ tables

The Snowflake Native App Framework allows providers to share external and Apache Iceberg™ tables in the provider shares with consumers in the app. However, consumers must give the app permission to access these tables.

安全性和成本注意事项

当允许应用访问外部表或 Iceberg 表时,使用者应注意以下几点:

  • External and Iceberg tables may pose data exfiltration risks to the consumer. For example, if an app exposes a view that contains an external table, a provider may be able to determine the types of queries the consumer makes by using their cloud provider access logs.
  • External and Iceberg tables may incur additional costs related to egress and ingress usage if the object store containing the table is not in the same region where the app is published.

Enable external and Iceberg tables using Snowsight

提供商可以将应用配置为向所有使用者显示对话框,以允许应用程序访问外部表或 Iceberg 表。

要允许应用程序访问外部表或 Iceberg 表,请执行以下步骤:

  1. Sign in to Snowsight.
  2. In the navigation menu, select Catalog » Apps.
  3. 选择应用程序。
  4. In the toolbar, select Settings.
  5. Select the Privileges tab.
  6. Under External data access, select Review.
  7. Select Enable.

使用 SQL 启用外部表和 Iceberg 表

要使用 SQL 启用对外部表和 Iceberg 表的访问,请使用 SET_APPLICATION_RESTRICTED_FEATURE_ACCESS 系统函数,如下图所示:

SELECT SYSTEM$SET_APPLICATION_RESTRICTED_FEATURE_ACCESS(hello_snowflake_app, 'external_data', '{"allowed_cloud_providers" : "all"}');

This command allows the hello_snowflake_app app to access the external or Iceberg tables in the that the app uses.

要确定是否已为应用程序启用了外部表和 Iceberg 表,请使用 LIST_APPLICATION_RESTRICTED_FEATURES 系统函数,如以下示例所示:

SYSTEM$LIST_APPLICATION_RESTRICTED_FEATURES('hello_snowflake_app')

This system function returns a JSON object that indicates if external and Iceberg tables are allowed the for the hello_snowflake_app.