betodealmeida commented on code in PR #32231:
URL: https://github.com/apache/superset/pull/32231#discussion_r1953011328
##########
superset-frontend/src/pages/DatabaseList/index.tsx:
##########
@@ -121,6 +123,9 @@ function DatabaseList({
const fullUser = useSelector<any, UserWithPermissionsAndRoles>(
state => state.user,
);
+ const shouldResyncPermsInAsyncMode = useSelector<any, boolean>(
Review Comment:
Nit: I would just use "sync" instead of "resync" everywhere in the PR. The
"re" prefix seems a bit unnecessary, since "synchronizing" already implies some
kind of periodic update, IMO.
##########
superset/commands/database/update.py:
##########
@@ -87,8 +90,23 @@ def run(self) -> Model:
database = DatabaseDAO.update(self._model, self._properties)
database.set_sqlalchemy_uri(database.sqlalchemy_uri)
ssh_tunnel = self._handle_ssh_tunnel(database)
+ async_resync_perms = app.config["RESYNC_DB_PERMISSIONS_IN_ASYNC_MODE"]
try:
- self._refresh_catalogs(database, original_database_name,
ssh_tunnel)
+ if async_resync_perms:
+ current_username = get_username()
+ ResyncPermissionsAsyncCommand(
Review Comment:
Asycn doesn't work with ssh tunnelling?
##########
superset/databases/api.py:
##########
@@ -613,6 +622,61 @@ def delete(self, pk: int) -> Response:
)
return self.response_422(message=str(ex))
+ @expose("/<int:pk>/resync_permissions/", methods=("POST",))
+ @protect()
+ @safe
Review Comment:
The `@safe` decorator is not compatible with
[SIP-40](https://github.com/apache/superset/issues/9194), we shouldn't use it.
If you remove it you can also remove the `try/except` block in the view, and
just let the exceptions bubble up.
##########
superset/commands/database/resync_permissions.py:
##########
@@ -0,0 +1,276 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+import logging
+from functools import partial
+from typing import Iterable
+
+from superset import security_manager
+from superset.commands.base import BaseCommand
+from superset.commands.database.exceptions import (
+ DatabaseConnectionFailedError,
+ DatabaseConnectionResyncPermissionsError,
+ DatabaseNotFoundError,
+)
+from superset.commands.database.utils import ping
+from superset.daos.database import DatabaseDAO
+from superset.daos.dataset import DatasetDAO
+from superset.databases.ssh_tunnel.models import SSHTunnel
+from superset.db_engine_specs.base import GenericDBException
+from superset.exceptions import OAuth2RedirectError
+from superset.models.core import Database
+from superset.utils.decorators import on_error, transaction
+
+logger = logging.getLogger(__name__)
+
+
+class ResyncPermissionsCommand(BaseCommand):
+ """
+ Command to resync database permissions.
+ """
+
+ def __init__(
+ self,
+ model_id: int,
+ old_db_connection_name: str | None = None,
+ db_connection: Database | None = None,
+ ssh_tunnel: SSHTunnel | None = None,
+ ):
+ """
+ Constructor method.
+ """
+ self.db_connection_id = model_id
+ self.old_db_connection_name: str | None = old_db_connection_name
+ self.db_connection: Database | None = db_connection
+ self.db_connection_ssh_tunnel: SSHTunnel | None = ssh_tunnel
+
+ def validate(self) -> None:
+ if not self.db_connection:
+ database = DatabaseDAO.find_by_id(self.db_connection_id)
+ if not database:
+ raise DatabaseNotFoundError()
+ self.db_connection = database
+
+ if not self.old_db_connection_name:
+ self.old_db_connection_name = self.db_connection.database_name
+
+ if not self.db_connection_ssh_tunnel:
+ self.db_connection_ssh_tunnel = DatabaseDAO.get_ssh_tunnel(
+ self.db_connection_id
+ )
+
+ with self.db_connection.get_sqla_engine() as engine:
+ try:
+ alive = ping(engine)
+ except Exception as err:
+ raise DatabaseConnectionFailedError() from err
+
+ if not alive:
+ raise DatabaseConnectionFailedError()
+
+ @transaction(
+ on_error=partial(on_error,
reraise=DatabaseConnectionResyncPermissionsError)
+ )
+ def run(self) -> None:
+ """
+ Resyncs the permissions for a DB connection.
+ """
+ self.validate()
+
+ # Make mypy happy (these are already checked in validate)
+ assert self.db_connection
+ assert self.old_db_connection_name
+
+ catalogs = (
+ self._get_catalog_names(self.db_connection)
+ if self.db_connection.db_engine_spec.supports_catalog
+ else [None]
+ )
+
+ for catalog in catalogs:
+ try:
+ schemas = self._get_schema_names(self.db_connection, catalog)
+
+ if catalog:
+ perm = security_manager.get_catalog_perm(
+ self.old_db_connection_name,
+ catalog,
+ )
+ existing_pvm = security_manager.find_permission_view_menu(
+ "catalog_access",
+ perm,
+ )
+ if not existing_pvm:
+ # new catalog
+ security_manager.add_permission_view_menu(
+ "catalog_access",
+ security_manager.get_catalog_perm(
+ self.db_connection.database_name,
+ catalog,
+ ),
+ )
+ for schema in schemas:
+ security_manager.add_permission_view_menu(
+ "schema_access",
+ security_manager.get_schema_perm(
+ self.db_connection.database_name,
+ catalog,
+ schema,
+ ),
+ )
+ continue
+ except DatabaseConnectionFailedError:
+ # more than one catalog, move to next
+ if catalog:
+ logger.warning("Error processing catalog %s", catalog)
+ continue
+ raise
Review Comment:
This could still be true if you have just one catalog, ie, `catalogs =
["something"]`. I would just log a warning and continue:
```suggestion
except DatabaseConnectionFailedError:
logger.warning("Error processing catalog %s", catalog or
"(default)")
```
##########
superset/commands/database/resync_permissions.py:
##########
@@ -0,0 +1,276 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
Review Comment:
I think having a flag is good, or having one of them inherit from the other
(looks like `validate` is identical, eg).
##########
superset/tasks/permissions.py:
##########
@@ -0,0 +1,56 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+import logging
+
+from flask import current_app, g
+
+from superset import security_manager
+from superset.commands.database.resync_permissions import
ResyncPermissionsCommand
+from superset.daos.database import DatabaseDAO
+from superset.extensions import celery_app
+
+logger = logging.getLogger(__name__)
+
+
+@celery_app.task(name="resync_database_permissions", soft_time_limit=600)
+def resync_database_permissions(
+ database_id: int, username: str, original_database_name: str
+) -> None:
+ logger.info("Resyncing permissions for DB connection ID %s", database_id)
+ with current_app.test_request_context():
+ try:
+ user = security_manager.get_user_by_username(username)
+ assert user
+ g.user = user
+ logger.info("Impersonating user ID %s", g.user.id)
+ db_connection = DatabaseDAO.find_by_id(database_id)
+ ssh_tunnel = DatabaseDAO.get_ssh_tunnel(database_id)
Review Comment:
Ah!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org
