教程 6：配置和测试服务端点权限¶

简介

在教程 1 中，您使用相同的角色来创建和测试服务。服务的创建角色是服务的所有者角色，因此您可以使用该角色与服务通信。

在本教程中，您将探索使用不同的角色与服务通信。

You grant this role the USAGE privilege by using a service role that you define in the service specification.

In this tutorial, you modify the Tutorial 1 as follows:

创建您将用来与服务通信的新角色。
修改服务规范，如下所示：
- 定义两个端点，而不只是一个端点。请注意，添加第二个端点只是为了演示端点权限的工作原理。
- 定义只能访问两个端点之一的服务角色。
为您创建的新角色授予服务角色，以允许访问服务端点之一。
使用新角色与服务端点通信。

准备

Follow Common Setup with the following modifications:

完成通用设置步骤。
By using the ACCOUNTADMIN role, execute the following script to create another role (service_function_user_role), replacing user_name with the name of your Snowflake user. After creating the echo service, you use this role to communicate with the service.
```
USE ROLE ACCOUNTADMIN;
CREATE ROLE service_function_user_role;
GRANT ROLE service_function_user_role TO USER <user-name>;
GRANT USAGE ON WAREHOUSE tutorial_warehouse TO ROLE service_function_user_role;
```
Follow Tutorial 1, steps 1 and 2, to build and upload an image to a repository in your account. Don’t proceed with step 3 because you will create the service as part of this tutorial.

创建服务

要确保您处于此步骤中 SQL 语句的正确上下文中，请执行以下步骤：
```
USE ROLE test_role;
USE DATABASE tutorial_db;
USE SCHEMA data_schema;
USE WAREHOUSE tutorial_warehouse;
```

To create the service, execute the following command by using test_role (the service’s owner role).

CREATE SERVICE echo_service
  IN COMPUTE POOL tutorial_compute_pool
  FROM SPECIFICATION $$
 spec:
   containers:
   - name: echo
     image: /tutorial_db/data_schema/tutorial_repository/my_echo_service_image:latest
     env:
       SERVER_PORT: 8000
       CHARACTER_NAME: Bob
     readinessProbe:
       port: 8000
       path: /healthcheck
   endpoints:
   - name: echoendpoint
     port: 8000
     public: true
   - name: echoendpoint2
     port: 8002
     public: true
 serviceRoles:
 - name: echoendpoint_role
   endpoints:
   - echoendpoint
   $$;

Per the inline specification, the echo_service exposes two public endpoints but the service role (echoendpoint_role) grants USAGE privilege only on one of the endpoints.

验证服务是否正在运行。

SHOW SERVICES;
SHOW SERVICE CONTAINERS IN SERVICE echo_service;
DESCRIBE SERVICE echo_service;

By using test_role (the service’s owner role), grant the service role defined in the specification to the new role (service_function_user_role) you created as part of the common setup. Also grant USAGE privileges on the database and the schema.
```
USE ROLE test_role;
USE DATABASE tutorial_db;
USE SCHEMA data_schema;

GRANT USAGE ON DATABASE tutorial_db TO ROLE service_function_user_role;
GRANT USAGE ON SCHEMA data_schema TO ROLE service_function_user_role;
GRANT SERVICE ROLE echo_service!echoendpoint_Role TO ROLE service_function_user_role;
```
This service role grants the service_function_user_role USAGE privilege on the echoendpoint endpoint.

To demonstrate that the service role name is case in-sensitive, the example uses the echoendpoint_Role role name.

使用服务

Create a service function to communicate with the service. You create a service function by using the service_function_user_role (not the service’s owner role) and use the service.

创建服务函数。

USE ROLE service_function_user_role;
CREATE OR REPLACE FUNCTION my_echo_udf_try1 (InputText VARCHAR)
  RETURNS varchar
  SERVICE=echo_service
  ENDPOINT=echoendpoint
  AS '/echo';

Try creating another service function that refers to the echoservice2 endpoint for which the role has no access privilege. Therefore, the command should fail.
```
CREATE OR REPLACE FUNCTION my_echo_udf_try2 (InputText varchar)
  RETURNS varchar
  SERVICE=echo_service
  ENDPOINT=echoendpoint2
  AS '/echo';
```
使用服务函数。
```
SELECT my_echo_udf_try1('Hello');
```

清理

To remove the resources you created, follow the steps in Tutorial 1 steps to clean up other resources created in Tutorial 1.

下一步是什么？

Now that you’ve completed this tutorial, you can return to Working with Services to explore other topics.