创建和使用 Streamlit 应用程序所需的权限¶

Within Streamlit in Snowflake, a Streamlit app is a securable object that adheres to the Snowflake access control framework. Streamlit apps use a permission model that is based on owner’s rights. For more information, see Understanding owner’s rights and Streamlit in Snowflake apps. You can also configure a container-runtime app to use restricted caller’s rights (Preview). For more information, see Restricted caller’s rights and Streamlit in Snowflake.

应用程序所有者和包含 Streamlit 应用程序的架构的所有者可以确定哪些角色有权使用该应用程序。用户可以与应用程序进行交互，并且可以看到 Streamlit 应用程序显示的任何内容。用户与所有者具有相同的应用程序视图，只是他们无法访问编辑模式。

For more information, see Share a Streamlit app.

创建 Streamlit 应用程序所需的权限¶

To create a Streamlit app, if your role does not own the objects in the following table, then your role must have the listed privileges on those objects:

Privilege	Object	Notes
CREATE STREAMLIT	Schema where you create the Streamlit object
READ	Stage from which you copy the Streamlit app source files
USAGE	Warehouse used by the Streamlit app
USAGE	Compute pool used by the Streamlit app	This privilege is only required if your app uses a container runtime.
USAGE	External access integrations used by the Streamlit app	This privilege is only required if your app uses external access integrations. For container runtimes, this privilege is required to install packages from external package indexes like PyPI.
USAGE	Secrets used by the Streamlit app	This privilege is only required if your app uses secrets and only applies to warehouse runtimes.
CREATE STAGE	Schema where you create the Streamlit object	This privilege is only required to create Streamlit objects with the ROOT_LOCATION parameter.

Operating on an object in a schema requires at least one privilege on the parent database and at least one privilege on the parent schema.

Use the GRANT <privileges> … TO ROLE command to grant these privileges to a role. The following example shows how to grant the necessary privileges to create container-runtime apps:

GRANT USAGE ON DATABASE streamlit_db TO ROLE streamlit_developer;
GRANT USAGE ON SCHEMA streamlit_db.apps TO ROLE streamlit_developer;
GRANT CREATE STREAMLIT ON SCHEMA streamlit_db.apps TO ROLE streamlit_developer;
GRANT USAGE ON COMPUTE_POOL streamlit_compute_pool TO ROLE streamlit_developer;
GRANT USAGE ON INTEGRATION python_package_index TO ROLE streamlit_developer;
GRANT USAGE ON WAREHOUSE streamlit_wh TO ROLE streamlit_developer;

如果在数据库或架构上定义了未来授权，请确保用户使用未来授权中定义的角色创建 Streamlit 应用程序。

查看 Streamlit 应用程序所需的权限¶

要查看 Streamlit 应用程序，必须拥有 Snowflake 账户并已登录。此外，您必须使用被授予对以下对象 USAGE 权限的角色：

包含 Streamlit 应用程序的数据库
包含 Streamlit 应用程序的架构
Streamlit 应用程序

在大多数情况下，当应用程序所有者与其他角色共享 Streamlit 应用程序时， USAGE 权限将自动授予新角色。但是，如果在 MANAGED ACCESS 架构中创建 Streamlit 应用程序，则必须手动将 USAGE 权限授予新角色。

The schema owner or a user with the role with the MANAGE GRANTS privilege must grant the USAGE privilege using the GRANT <privileges> … TO ROLE command as shown in this example:

GRANT USAGE ON DATABASE streamlit_db TO ROLE streamlit_viewer;
GRANT USAGE ON SCHEMA streamlit_db.streamlit_schema TO ROLE streamlit_viewer;
GRANT USAGE ON STREAMLIT streamlit_db.streamlit_schema.streamlit_app TO ROLE streamlit_viewer;

架构所有者或具有 MANAGE GRANTS 权限角色的用户可以授予 USAGE 权限，以查看在架构中创建的所有未来 Streamlit 应用程序，如以下示例所示：

GRANT USAGE ON FUTURE STREAMLITS IN SCHEMA streamlit_db.streamlit_schema TO ROLE streamlit_viewer;