Creating a User Interface to Request Privileges and References¶
This topic describes how to create a user interface using Streamlit and Snowsight to allow consumers to grant privileges and create references for an installed Snowflake Native App. The Snowflake Native App Framework provides the Python Permission SDK that allows providers to embed requests for the consumer using a Streamlit app.
About Privileges and References¶
For general information on requesting privileges and references from the consumer using the Snowflake Native App Framework, refer to Requesting Privileges in a Consumer Account.
About the Python Permission SDK¶
The Snowflake Native App Framework provides the Python Permission SDK which allows a provider to do the following within a Snowflake Native App:
Check for account level privileges.
Request global privileges that are listed in the manifest file.
Request references to objects and their corresponding object level privileges as defined in the manifest file.
Request privileged actions, for example creating an API integration or creating a share.
Using the Python Permission SDK, Snowsight displays the access requests in the Security tab of the installed Snowflake Native App.
Workflow for Creating an Interface to Approve Privileges and Bind References¶
The following general workflow outlines the steps required to implement a Streamlit app to request grants for privileges and references from the consumer.
Create an application package.
In the manifest file, specify the privileges and define the references required for the Snowflake Native App.
Add a Streamlit app to your application package.
environment.ymlfile to your application package.
environment.ymlfile must be in the same directory as main Streamlit file used to implement the Snowsight interface.
snowflake-native-apps-permissionlibrary as a dependency.
snowflake.permissionslibrary in your Streamlit app.
Add functions to your Streamlit app that call the functions provided by the SDK.
Adding the Python Permission SDK to Your Streamlit Environment¶
To use the Python Permission SDK in a Streamlit app, add the
package as a dependency in your
environment.yml file as shown in the following example:
name: sf_env channels: - snowflake dependencies: - snowflake-native-apps-permission
Importing the Python Permission SDK in Your Streamlit App¶
To import the Python Permission SDK into your Streamlit app, include the following import statement in your app:
import snowflake.permissions as permissions;
Requesting Privileges from the Consumer¶
The following examples show how to perform different tasks using the Python Permission SDK.
Checking Account Level Privileges¶
This example shows how to use the
get_held_account_privileges() method of the Permissions
API to check if permissions declared in the manifest file are granted to the installed Snowflake Native App.
For example, if a Snowflake Native App needs to create a database outside of the APPLICATION object, a provider can define the reference in the manifest file as follows:
privileges: - CREATE DATABASE: description: "Creation of ingestion (required) and audit databases"
Using the Python Permission SDK, you can use the
get_held_account_privileges() method to
obtain a list of privileges that have been granted to the Snowflake Native App.
import streamlit as st import snowflake.permissions as permissions ... if not permissions.get_held_account_privileges(["CREATE DATABASE"]): st.error("The app needs CREATE DB privilege to replicate data")
This example calls the
get_held_account_privileges() function, passing the
CREATE DATABASE permission as a parameter. A provider can use
function to respond appropriately until the consumer grants the required privileges to
the Snowflake Native App.
Only privileges defined in the manifest file are valid arguments to
get_held_account_privileges(). Passing other arguments results in an error.
Requesting Privileged Actions from the Consumer¶
Providers can use the Python Permission SDK to request privileged actions required by the Snowflake Native App.
For example, to request an API integration that allows the Snowflake Native App to connect to a ServiceNow instance, a provider would define the API integration in the manifest file:
references: - servicenow_api_integration: label: "API INTEGRATION for ServiceNow communication" description: "An integration required in order to support extraction and visualization of ServiceNow data." privileges: - USAGE object_type: API Integration register_callback: config.register_reference
Next, in the Streamlit app, the provider calls the
to request the USAGE privilege on the API integration as shown in the following example:
Python Permission SDK Reference¶
The following table lists the functions provided in the
snowflake.permissions module by the
Python Permission SDK:
Requests privileges from the consumer specified by a string array passed to the function that contains the privileges. The specified privileges must be listed in the manifest file.
Requests a reference from the consumer specified by the string passed to the function. The reference passed to the function must be defined in the manifest file. Refer to Object Types and Privileges that a Reference Can Contain for the objects that can be included in a reference and their supported privileges.
Requests an API integration from the consumer for the Amazon API Gateway. The
Refer to CREATE API INTEGRATION for information on other parameters.
Requests an API integration from the consumer for Azure API Management. The
Requests an API integration from the consumer for Google Cloud API Gateway. The
Returns an array containing the privileges that have been granted to the Snowflake Native App based on the array of privileges passed to the function.
Returns an array containing the privileges that have not been granted to the Snowflake Native App based on the array of privileges passed to the function.
Returns an array containing a list of references to an object, specified by a parameter to the function that have been associated with the Snowflake Native App.