Fix sync-perm to work correctly when update_fab_perms = False (#14847)

If Airflow is configured with update_fab_perms config setting to False, then the Op, User and Viewer roles are created _before_ the permissions objects are written to the database, meaning that these roles did not correctly get assigned all the permissions we asked for (the missing permissions are just silently not created.) Because of the "migrate to resource permission" migration this problem is not "disasterous" as all most of the Permissions et al. we use are created by a migration. This changes it so that the permissions are always created/synced before we look at the roles. (Re-running sync-perm wouldn't fix this, as although the second time around the Permissions will exist in the DB, we see that Op role already has permissions and don't make any changes, assuming that the site operators made such changes.) (cherry picked from commit 1cd62b9)
apache · May 9, 2021 · c3962e0 · c3962e0
1 parent 7fda8d1
commit c3962e0
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/airflow/cli/commands/sync_perm_command.py b/airflow/cli/commands/sync_perm_command.py
@@ -26,9 +26,9 @@ def sync_perm(args):
     """Updates permissions for existing roles and DAGs"""
     appbuilder = cached_app().appbuilder  # pylint: disable=no-member
     print('Updating permission, view-menu for all existing roles')
-    appbuilder.sm.sync_roles()
-    # Add missing permissions for all the Base Views
+    # Add missing permissions for all the Base Views _before_ syncing/creating roles
     appbuilder.add_permissions(update_perms=True)
+    appbuilder.sm.sync_roles()
     print('Updating permission on all DAG views')
     dagbag = DagBag(read_dags_from_db=True)
     dagbag.collect_dags_from_db()