Understanding owner’s rights and Streamlit in Snowflake apps¶
The model for Streamlit in Snowflake closely maps to owner’s rights model in stored procedures. This eliminates the need for service account tokens and integrates with the authentication, access control, and network policy features that Snowflake provides.
About owner’s rights in Streamlit in Snowflake¶
Streamlit apps adhere to the following rules within a session:
Run with the privileges of the owner, not the privileges of the caller.
Run with the warehouse provisioned by the app owner.
Use the database and schema that the Streamlit in Snowflake app was created in, not the database and schema that the caller is currently using.
About app creation¶
The privilege to create a Streamlit app is granted at the schema level. Only users with the OWNER privilege on the schema can create a Streamlit app in that schema. When a Streamlit app is created, it runs with the role of the user who originally created the app.
Viewing an app¶
The app owner can choose which roles have permission to use the app.
Viewers can interact with the app and see anything displayed on the screen.
All of the app owner role’s privileges can be used by the app when shared with other roles, regardless of whether the privilege has WITH GRANT enabled.
Restrictions on owner’s rights¶
Because apps run with owner’s rights, they have several additional restrictions. These restrictions affect the following:
The built-in functions that can be called from inside a stored procedure are not available when a stored procedure is called in a Streamlit app.
The ability to execute ALTER USER statements.
The types of SQL statements that can be called from inside a stored procedure.
Some DESCRIBE commands.
Owner’s rights and app security¶
Streamlit apps running in Streamlit in Snowflake run with owners rights and follow the same security model as other Snowflake objects that run with owner’s rights.
Although Snowflake provides security features like authentication, role-based access control, and admin controls, responsibility for the security of apps is shared with app creators and owners.
One or more roles can own a Streamlit app. Before you grant a role that owns a Streamlit app to another user, Snowflake recommends that you review the privileges granted to or inherited by that role for this reason.
Use caution, for example, when granting a role with write privileges to another Snowflake user. Write privileges allow the user to modify the Streamlit app.
In general, Snowflake recommends using role-based access control and dedicated roles for creating and viewing Streamlit apps. Additionally, you should follow appropriate security practices while developing Streamlit apps inside Snowflake and perform regular security audits of the Streamlit apps in your account.