Understanding owner’s rights and Streamlit in Snowflake apps

简介

The model for Streamlit in Snowflake closely maps to the owner’s rights model in stored procedures. This eliminates the need for service account tokens and integrates with the authentication, access control, and network policy features that Snowflake provides.

About owner’s rights in Streamlit in Snowflake

默认情况下,Streamlit 应用程序在会话中遵循以下规则:

  • Run with the privileges of the owner, not the privileges of the caller. To run a container-runtime app with restricted caller’s rights instead, see Restricted caller’s rights and Streamlit in Snowflake.
  • 使用应用程序所有者预置的仓库来运行。
  • Use the database and schema that the Streamlit in Snowflake app was created in, not the database and schema that the caller is currently using.

关于应用程序的创建

Streamlit 应用程序是架构级对象。要创建 Streamlit 应用程序,您需要对数据库、架构和仓库具有相应的权限。创建该应用程序后,它将在最初创建该应用程序的用户的角色下运行。

For more information, see Privileges required to create a Streamlit app.

查看应用程序

应用程序所有者可以选择哪些角色有权使用应用程序。查看者可以与应用程序交互,并查看屏幕上显示的任何内容。当应用所有者角色的权限与其它角色共享时,该应用可以使用该角色的所有权限,无论该权限是否启用了 WITH GRANT。

For more information, see Privileges required to view a Streamlit app.

对所有者权限的限制

Because apps run with owner’s rights, they have several additional restrictions. If you use any context functions, you must grant the global READ SESSION privilege to the app owner role. For more information, see Row access policies in Streamlit in Snowflake.

仓库运行时应用以存储过程的形式运行,并受与所有者权限存储过程相同的限制。例如,以下项目会受到影响:

  • 可以从存储过程内部调用的内置函数。
  • The ability to execute ALTER USER statements.
  • DESCRIBE、SHOW 和 LIST 命令。
  • 可从存储过程内部调用的 SQL 语句的类型。

For more information, see Additional restrictions on owner’s rights stored procedures. Container-runtime apps don’t run as stored procedures and aren’t subject to these additional restrictions.

所有者权限和应用程序安全性

Streamlit apps running in Streamlit in Snowflake run with owner’s rights and follow the same security model as other Snowflake objects that run with owner’s rights.

尽管 Snowflake 提供了身份验证、基于角色的访问控制和管理控制等安全功能,但应用程序的安全性责任与应用程序创建者和所有者共担。

例如,向其他 Snowflake 用户授予具有写入权限的角色时,请务必小心。写入权限允许用户修改 Streamlit 应用程序。

通常,Snowflake 建议使用基于角色的访问控制和专用角色来创建和查看 Streamlit 应用程序。此外,在 Snowflake 中开发 Streamlit 应用程序时,应遵循适当的安全实践,并对账户中的 Streamlit 应用程序定期执行安全审核。