dosubot[bot] commented on issue #36261: URL: https://github.com/apache/superset/issues/36261#issuecomment-3574598368
<!-- Greeting --> Hi @shunki-fujita! I'm [Dosu](https://go.dosu.dev/dosubot) and Iām helping the superset team. <!-- Answer --> In Superset 5.0.0, the sql_lab role should include the can_estimate_query_cost permission by default, as it's defined in the core set of SQL Lab permissions. If it's missing, this could be due to a permission sync issue or a naming mismatch (for example, between "SQLLab" and "SQL Lab"), which has caused problems in some upgrades. Running the security manager's sync routine or manually correcting permission names in the metadata database can resolve this in most cases. See the relevant code reference for how these permissions are assigned and common pitfalls with naming mismatches: [SupersetSecurityManager SQLLAB_ONLY_PERMISSIONS](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py#L346-L1336). There is no can_format_sql permission in the codebase, so it cannot be assigned to any role. The Format SQL endpoint is protected by a generic "read" permission, not a specific can_format_sql permission, so there is nothing to add to the sql_lab role for this feature. See the endpoint implementation here: [format_sql API protection](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/sqllab/api.py#L142-L235). If you continue to see missing permissions or access denied errors after syncing roles, check the backend logs for the exact permission being denied and verify that your metadata DB doesn't have legacy or mismatched permission names. This is especially important if you've upgraded from older versions, as naming inconsistencies have caused similar issues before. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/1306184c-3837-436a-9e21-3ee560a2b6ab?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/1306184c-3837-436a-9e21-3ee560a2b6ab?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/1306184c-3837-436a-9e21-3ee560a2b6ab?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/1306184c-3837-436a-9e21-3ee560a2b6ab?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/1306184c-3837-436a-9e21-3ee560a2b6ab?feedback_type=hallucination) | [Report š](https://app.dosu.dev/response-feedback/1306184c-3837-436a-9e21-3ee560a2b6ab?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/1306184c-3837-436a-9e21-3ee560a2b6ab?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=In%20Superset%205.0.0%2C%20the%20sql_lab%20role%20should%20include%20the%20can_estimate_query_cost%20permission%20by%20default%2C%20as%20it%27s%20defined%20in%20the%20core%20set%20of%20SQL%20Lab%20permissions.%20If%20it%27s%20missing%2C%20this%20could%20be%20due%20to%20a%20permission%20sync%20issue%20or%20a%20naming%20mismatch%20%28for%20example%2C%20between%20%22SQLLab%22%20and%20%22SQL%20Lab%22%29%2C%20which%20has%20caused%20problems%20in%20some%20upgrades.%20Running%20the%20security%20manager%27s%20sync%20routine%20or%20manually%20correcting%20permission%20names%20in%20the%20metadata%20database%20can%20resolve%20this%20in%20most%20cases.%20See%20the%20relevant%20code%20reference%20for%20how%20these%20permissions%20are%20assigned%20and%20common%2 0pitfalls%20with%20naming%20mismatches%3A%20%5BSupersetSecurityManager%20SQLLAB_ONLY_PERMISSIONS%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py%23L346-L1336%29.%0A%0AThere%20is%20no%20can_format_sql%20permission%20in%20the%20codebase%2C%20so%20it%20cannot%20be%20assigned%20to%20any%20role.%20The%20Format%20SQL%20endpoint%20is%20protected%20by%20a%20generic%20%22read%22%20permission%2C%20not%20a%20specific%20can_format_sql%20permission%2C%20so%20there%20is%20nothing%20to%20add%20to%20the%20sql_lab%20role%20for%20this%20feature.%20See%20the%20endpoint%20implementation%20here%3A%20%5Bformat_sql%20API%20protection%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/sqllab/api.py%23L142-L235%29.%0A%0AIf%20you%20continue%20to%20see%20missing%20permissions%20or%20access%20denied%20errors%20after%20syncing%20roles%2C%20check%20the%20backend%20logs%20for%20the%20exact%20permissi on%20being%20denied%20and%20verify%20that%20your%20metadata%20DB%20doesn%27t%20have%20legacy%20or%20mismatched%20permission%20names.%20This%20is%20especially%20important%20if%20you%27ve%20upgraded%20from%20older%20versions%2C%20as%20naming%20inconsistencies%20have%20caused%20similar%20issues%20before.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/36261) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
