From c3962e06fa13863a9ab7f52a1116f0ba21adbe83 Mon Sep 17 00:00:00 2001 From: Ash Berlin-Taylor Date: Wed, 17 Mar 2021 11:45:45 +0000 Subject: [PATCH] Fix `sync-perm` to work correctly when update_fab_perms = False (#14847) If Airflow is configured with update_fab_perms config setting to False, then the Op, User and Viewer roles are created _before_ the permissions objects are written to the database, meaning that these roles did not correctly get assigned all the permissions we asked for (the missing permissions are just silently not created.) Because of the "migrate to resource permission" migration this problem is not "disasterous" as all most of the Permissions et al. we use are created by a migration. This changes it so that the permissions are always created/synced before we look at the roles. (Re-running sync-perm wouldn't fix this, as although the second time around the Permissions will exist in the DB, we see that Op role already has permissions and don't make any changes, assuming that the site operators made such changes.) (cherry picked from commit 1cd62b9c7ce76bd791e0445a741a1ee44e6fb1f7) --- airflow/cli/commands/sync_perm_command.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/airflow/cli/commands/sync_perm_command.py b/airflow/cli/commands/sync_perm_command.py index 072f2b9ed8ce4..e382b89998c45 100644 --- a/airflow/cli/commands/sync_perm_command.py +++ b/airflow/cli/commands/sync_perm_command.py @@ -26,9 +26,9 @@ def sync_perm(args): """Updates permissions for existing roles and DAGs""" appbuilder = cached_app().appbuilder # pylint: disable=no-member print('Updating permission, view-menu for all existing roles') - appbuilder.sm.sync_roles() - # Add missing permissions for all the Base Views + # Add missing permissions for all the Base Views _before_ syncing/creating roles appbuilder.add_permissions(update_perms=True) + appbuilder.sm.sync_roles() print('Updating permission on all DAG views') dagbag = DagBag(read_dags_from_db=True) dagbag.collect_dags_from_db()