You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by as...@apache.org on 2021/03/17 11:46:34 UTC
[airflow] branch master updated: Fix `sync-perm` to work correctly
when update_fab_perms = False (#14847)
This is an automated email from the ASF dual-hosted git repository.
ash pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/master by this push:
new 1cd62b9 Fix `sync-perm` to work correctly when update_fab_perms = False (#14847)
1cd62b9 is described below
commit 1cd62b9c7ce76bd791e0445a741a1ee44e6fb1f7
Author: Ash Berlin-Taylor <as...@firemirror.com>
AuthorDate: Wed Mar 17 11:45:45 2021 +0000
Fix `sync-perm` to work correctly when update_fab_perms = False (#14847)
If Airflow is configured with update_fab_perms config setting to False,
then the Op, User and Viewer roles are created _before_ the permissions
objects are written to the database, meaning that these roles did not
correctly get assigned all the permissions we asked for (the missing
permissions are just silently not created.)
Because of the "migrate to resource permission" migration this problem
is not "disasterous" as all most of the Permissions et al. we use are
created by a migration.
This changes it so that the permissions are always created/synced before
we look at the roles.
(Re-running sync-perm wouldn't fix this, as although the second time
around the Permissions will exist in the DB, we see that Op role already
has permissions and don't make any changes, assuming that the site
operators made such changes.)
---
airflow/cli/commands/sync_perm_command.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/airflow/cli/commands/sync_perm_command.py b/airflow/cli/commands/sync_perm_command.py
index 072f2b9..e382b89 100644
--- a/airflow/cli/commands/sync_perm_command.py
+++ b/airflow/cli/commands/sync_perm_command.py
@@ -26,9 +26,9 @@ def sync_perm(args):
"""Updates permissions for existing roles and DAGs"""
appbuilder = cached_app().appbuilder # pylint: disable=no-member
print('Updating permission, view-menu for all existing roles')
- appbuilder.sm.sync_roles()
- # Add missing permissions for all the Base Views
+ # Add missing permissions for all the Base Views _before_ syncing/creating roles
appbuilder.add_permissions(update_perms=True)
+ appbuilder.sm.sync_roles()
print('Updating permission on all DAG views')
dagbag = DagBag(read_dags_from_db=True)
dagbag.collect_dags_from_db()