Create a user interface to request privileges and references

This topic describes how to create a user interface using Streamlit and Snowsight to allow consumers to grant privileges and create references for an installed Snowflake Native App. The Snowflake Native App Framework provides the Python Permission SDK that allows providers to embed requests for the consumer using a Streamlit app.

About privileges and references

For general information on requesting privileges and references from the consumer using the Snowflake Native App Framework, refer to Request access to objects in a consumer account.

About the Python Permission SDK

The Snowflake Native App Framework provides the Python Permission SDK which allows a provider to do the following within a Snowflake Native App:

  • Check for account level privileges.

  • Request global privileges that are listed in the manifest file.

  • Request references to objects and their corresponding object level privileges as defined in the manifest file.

  • Request privileged actions, for example creating an API integration or creating a share.

Using the Python Permission SDK, Snowsight displays the access requests in the Security tab of the installed Snowflake Native App.

Workflow for creating an interface to approve privileges and bind references

The following general workflow outlines the steps required to implement a Streamlit app to request grants for privileges and references from the consumer.

  1. Create an application package.

  2. In the manifest file, specify the privileges and define the references required for the Snowflake Native App.

  3. Add a Streamlit app to your application package.

  4. Add an environment.yml file to your application package.

    Note

    The environment.yml file must be in the same directory as main Streamlit file used to implement the Snowsight interface.

  5. Add the snowflake-native-apps-permission library as a dependency.

  6. Import the snowflake.permissions library in your Streamlit app.

  7. Add functions to your Streamlit app that call the functions provided by the SDK.

Add the Python Permission SDK to a Streamlit environment

To use the Python Permission SDK in a Streamlit app, add the snowflake-native-apps-permission package as a dependency in your environment.yml file as shown in the following example:

name: sf_env
channels:
- snowflake
dependencies:
- snowflake-native-apps-permission
Copy

Import the Python Permission SDK in a Streamlit app

To import the Python Permission SDK into your Streamlit app, include the following import statement in your app:

import snowflake.permissions as permissions;
Copy

Request privileges from the consumer

The following examples show how to perform different tasks using the Python Permission SDK.

Check Account Level Privileges

This example shows how to use the get_held_account_privileges() method of the Permissions API to check if permissions declared in the manifest file are granted to the installed Snowflake Native App.

For example, if a Snowflake Native App needs to create a database outside of the APPLICATION object, a provider can define the reference in the manifest file as follows:

privileges:
- CREATE DATABASE:
    description: "Creation of ingestion (required) and audit databases"
Copy

Using the Python Permission SDK, you can use the get_held_account_privileges() method to obtain a list of privileges that have been granted to the Snowflake Native App.

import streamlit as st
import snowflake.permissions as permissions
...
if not permissions.get_held_account_privileges(["CREATE DATABASE"]):
    st.error("The app needs CREATE DB privilege to replicate data")
Copy

This example calls the get_held_account_privileges() function, passing the CREATE DATABASE permission as a parameter. A provider can use get_held_account_privileges() function to respond appropriately until the consumer grants the required privileges to the Snowflake Native App.

Note

Only privileges defined in the manifest file are valid arguments to get_held_account_privileges(). Passing other arguments results in an error.

Request privileged actions from the consumer

Providers can use the Python Permission SDK to request privileged actions required by the Snowflake Native App.

For example, to request an API integration that allows the Snowflake Native App to connect to a ServiceNow instance, a provider would define the API integration in the manifest file:

references:
- servicenow_api_integration:
  label: "API INTEGRATION for ServiceNow communication"
  description: "An integration required in order to support extraction and visualization of ServiceNow data."
  privileges:
    - USAGE
  object_type: API Integration
  register_callback: config.register_reference
Copy

Next, in the Streamlit app, the provider calls the request_reference(<ref_name>) method to request the USAGE privilege on the API integration as shown in the following example:

permissions.request_reference("servicenow_api_integration")
Copy

Python Permission SDK reference

The following table lists the functions provided in the snowflake.permissions module by the Python Permission SDK:

Method

Description

request_account_privileges(privileges: [str])

Requests privileges from the consumer specified by a string array passed to the function that contains the privileges. The specified privileges must be listed in the manifest file.

request_reference(reference: str)

Requests a reference from the consumer specified by the string passed to the function. The reference passed to the function must be defined in the manifest file. Refer to Object types and privileges that a reference can contain for the objects that can be included in a reference and their supported privileges.

request_aws_api_integration(id: str, allowed_prefixes: [str], gateway: AwsGateway, aws_role_arn: str, api_key: str = None, name: str = None, comment: str = None)

Requests an API integration from the consumer for the Amazon API Gateway. The id parameter must be the name of the API integration defined in the manifest file.

AwsGateway can have the following values:

  • permissions.AwsGateway.API_GATEWAY

  • permissions.AwsGateway.PRIVATE_API_GATEWAY

  • permissions.AwsGateway.GOV_API_GATEWAY

  • permissions.AwsGateway.GOV_PRIVATE_API_GATEWAY

Refer to CREATE API INTEGRATION for information on other parameters.

request_azure_api_integration(id: str, allowed_prefixes: [str], tenant_id: str, application_id: str, api_key: str = None, name: str = None, comment: str = None)

Requests an API integration from the consumer for Azure API Management. The id parameter must be the name of the API integration defined in the manifest file. Refer to CREATE API INTEGRATION for information on other parameters.

request_google_api_integration(id: str, allowed_prefixes: [str], audience: str, name: str = None, comment: str = None, api_key: str = None)

Requests an API integration from the consumer for Google Cloud API Gateway. The id parameter must be the name of the API integration defined in the manifest file. Refer to CREATE API INTEGRATION for information on other parameters.

get_held_account_privileges(privilege_names: [str]) -> [str]

Returns an array containing the privileges that have been granted to the Snowflake Native App based on the array of privileges passed to the function.

get_missing_account_privileges(privilege_names: [str]) -> [str]

Returns an array containing the privileges that have not been granted to the Snowflake Native App based on the array of privileges passed to the function.

get_reference_associations(reference_name: str) -> [str]

Returns an array containing a list of references to an object, specified by a parameter to the function that have been associated with the Snowflake Native App.