KayleMaster opened a new issue #9245: URL: https://github.com/apache/airflow/issues/9245
<!-- Welcome to Apache Airflow! For a smooth issue process, try to answer the following questions. Don't worry if they're not all applicable; just try to include what you can :-) If you need to include code snippets or logs, please put them in fenced code blocks. If they're super-long, please use the details tag like <details><summary>super-long log</summary> lots of stuff </details> Please delete these comment blocks before submitting the issue. --> <!-- Please complete the next sections or the issue will be closed. This questions are the first thing we need to know to understand the context. --> **Apache Airflow version**: 1.10.10 **Environment**: - **Cloud provider or hardware configuration**: AWS - **OS**: Debian **What happened**: Created a new role, added "can_index" and "menu_access on DAGs". After webserver restart, new roles appeared: [can delete on Airflow, can tree on Airflow, can index on Airflow, can task stats on Airflow, can gantt on Airflow, can task instances on Airflow, can landing times on Airflow, can log on Airflow, can dag stats on Airflow, can paused on Airflow, can run on Airflow, can trigger on Airflow, can xcom on Airflow, can rendered on Airflow, can dag details on Airflow, can refresh on Airflow, can tries on Airflow, can code on Airflow, can get logs with metadata on Airflow, can dagrun clear on Airflow, can duration on Airflow, can graph on Airflow, can blocked on Airflow, can pickle info on Airflow, can clear on Airflow, can task on Airflow, can success on Airflow, can list on DagModelView, can show on DagModelView, can list on DagRunModelView, can add on DagRunModelView, muldelete on DagRunModelView, set failed on DagRunModelView, set running on DagRunModelView, set success on DagRunModelView, menu access on DAG Runs, menu access on Browse, can list on JobModelView, menu access on Jobs, can list on LogModelView, menu access on Logs, can list on SlaMissModelView, menu access on SLA Misses, can list on TaskInstanceModelView, clear on TaskInstanceModelView, set failed on TaskInstanceModelView, set running on TaskInstanceModelView, set success on TaskInstanceModelView, menu access on Task Instances, menu access on Documentation, menu access on Docs, can version on VersionView, menu access on Version, menu access on About] <!-- (please include exact error messages if you can) --> **What you expected to happen**: Role is persistent unless changed by a user <!-- What do you think went wrong? --> **How to reproduce it**: Add new role with "can_index" and "menu access on DAG Runs". Restart webserver. The new role now has extra permissions. **Anything else we need to know**: 100 % Reproducable. I've found people with similar issue on stack overflow: https://stackoverflow.com/questions/60100536/apache-airflow-some-permissions-on-new-role-are-reset And on Slack a similar issue: ``` We are currently running Airflow 1.10.9 and facing a weird issue with role permissions. Make a copy of the Viewer role and rename it to something else (can be reproduced without renaming as well) Refresh the Roles page a couple of times or click on Edit for the copied role The role now has permissions which it did not have before. Even though I never added those permissions For example, the Viewer role does not have the permission set failed on DagRunModelView while a copy of the Viewer role has that permission even though I never added it to the copied role. ``` <!-- How often does this problem occur? Once? Every time etc? Any relevant logs to include? Put them here in side a detail tag: <details><summary>x.log</summary> lots of stuff </details> --> ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
