Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convoluted way of permissions for streamlit app when deploying making it (near) unusable #1150

Closed
RobindeGrootNL opened this issue May 31, 2024 · 5 comments
Closed

Convoluted way of permissions for streamlit app when deploying making it (near) unusable #1150

RobindeGrootNL opened this issue May 31, 2024 · 5 comments

Comments

@RobindeGrootNL
Copy link

Description

I would like the streamlit app permissions to be able to be set a lot easier, directly after deploying the streamlit app. This can be done for example by a snowSQL query assigning permissions, or by having FUTURE GRANTS supported for streamlit apps. That way I can give the users who will be deploying the streamlit app also the access to view the streamlit app (from another role that is more widely accessible), and assign those permissions in an automated way without having to use an admin role in automations.

I tried to set FUTURE GRANTS on the streamlit schema so all streamlit apps in there could be viewed by a designated role, but that isn't supported. An additional difficulty is that redeploying a streamlit app (streamlit deploy --replace) resets the permissions on that app, even though the name of the streamlit app is the exact same.

This is how I deploy a streamilt app as part of a make target:

	snow streamlit deploy \
		--temporary-connection \
		--replace \
		--account $(SNOWFLAKE_ACCOUNT).$(SNOWFLAKE_REGION) \
		--schema $(SNOWFLAKE_SCHEMA_STREAMLIT) \
		--role $($(DBT_TARGET_UPPER)_SNOWFLAKE_ROLE_STREAMLIT) \
	$(ECHO) "GRANT USAGE on STREAMLIT $($(DBT_TARGET_UPPER)_SNOWFLAKE_DATABASE).$(SNOWFLAKE_SCHEMA_STREAMLIT).$* to ROLE \
$(SNOWFLAKE_ROLE);" | snowflake-execute

With snowflake-execute being a script that sends queries to snowflake. This doesn't work because the role I use for the deployment is not the owner of the schema, the admin account is, and I don't want to use that in automations for obvious reasons.

Context

I want to use streamlit internally in a federated snowflake spaces setup, in order to give the different teams in the different spaces the capability to create streamlit apps, deploy them to snowflake, and send a query to snowflake to assign the permissions to view that streamlit app to different roles. As of now, that can only be done by the schema owner as we have managed access on the schema where we want the streamlit app to live, and that is a role we don't want to use in the automated deploy process for streamlit.

I really want this streamlit capability to work well, because I see the usefulness of it, and so do the analysts in our company. I just wish the permissions handling would be a lot better.
@github-actions github-actions bot changed the title Convoluted way of permissions for streamlit app when deploying making it (near) unusable SNOW-1457429: Convoluted way of permissions for streamlit app when deploying making it (near) unusable May 31, 2024
@sfc-gh-astus
Copy link
Contributor

Hi @RobindeGrootNL, we have snow streamlit share command https://docs.snowflake.com/en/developer-guide/snowflake-cli-v2/streamlit-apps/manage-apps/share-app . Does this solve your problem or do you need something else?

@RobindeGrootNL
Copy link
Author

@sfc-gh-astus Thank you for your quick response! I'll have a look at that! I'll update here in the near future how that went!

@RobindeGrootNL
Copy link
Author

Unfortunately I am getting the following error, so I am afraid that the snow streamlit share feature does not support my environment.

SQL execution error: Not authorized in a managed access schema. Use the schema owner role or a role with the MANAGE GRANTS privilege.

As I don't want to use the admin account in CI/CD pipelines, I am afraid that this doesn't fix my problem. I'm starting to think that support for FUTURE GRANTS for streamlit apps might be the only way to get streamlit to work the way I want it to :(. I see that the share command just runs the following query: f"grant usage on streamlit {streamlit_name} to role {to_role}"

@sfc-gh-astus
Copy link
Contributor

You could create schema dedicated for streamlit apps and give privileges to grant usage on streamlits. It will not require an admin account.
Unfortunately, there is no other way.

@RobindeGrootNL
Copy link
Author

@sfc-gh-astus We have a schema where the streamlit app(s) will live, as well as their stage(s). We define all schemas with manage grants, so only the schema owner has the privileges to grant the usage on the created streamlit apps. The owner of all our schemas is a space admin role (and user) that we do not want to have the credentials in the CI pipeline for. I think that means that we probably have to find another way around this, or look into a different dashboard solution. Thank you very much for the responses and the help! 🙌

@sfc-gh-turbaszek sfc-gh-turbaszek changed the title SNOW-1457429: Convoluted way of permissions for streamlit app when deploying making it (near) unusable Convoluted way of permissions for streamlit app when deploying making it (near) unusable Jun 6, 2024
@snowflakedb snowflakedb locked and limited conversation to collaborators Jun 6, 2024
@sfc-gh-turbaszek sfc-gh-turbaszek converted this issue into discussion #1164 Jun 6, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RobindeGrootNL @sfc-gh-astus