fix: create permissions on DB import #29802
Conversation
dosubot
bot
added
the
data:databases
betodealmeida
force-pushed
the
create-perms-db-import
branch
3 times, most recently
from
ed14750 to
3ebe186
Compare
betodealmeida
added
the
merge-if-green
pyproject.toml
Outdated
| @@ -236,7 +236,7 @@ legacy_tox_ini = """ | |||
| # Remember to start celery workers to run celery tests, e.g. | |||
| # celery --app=superset.tasks.celery_app:app worker -Ofair -c 2 | |||
| [testenv] | |||
| basepython = python3.10 | |||
| basepython = python3.11 | |||
There was a problem hiding this comment.
Just to double check: if this version change were to affect any other tests or logic, it should fail the GH Actions for this PR as well, right?
There was a problem hiding this comment.
Ah, I need to revert this, it was for testing locally. Sorry.
There was a problem hiding this comment.
Hey @betodealmeida I believe this should be good to be approved as soon as you revert this change 🙌
| catalogs = {catalog for (catalog,) in engine.execute("SHOW CATALOGS")} | ||
| if len(catalogs) == 1: | ||
| return catalogs.pop() |
There was a problem hiding this comment.
if SHOW CATALOGS returns only spark_catalog, it seems we're returning it. Do we want to return spark_catalog, or do we need to return hive_metastore instead (when there's only spark_catalog)? I'm asking it because I think there are issues with other metadata calls if we try to use spark_catalog when the catalog selected in the form is hive_metastore (or if UC is not enabled).
Also, if multi_catalog is disabled, do we want to rely on SHOW CATALOGS? Should we validate if multi_catalog is disabled first, and if so return the value of current_catalog() directly (which should be the catalog from the form)?
There was a problem hiding this comment.
The problem is that we need to create the permissions regardless of the state of multi_catalog. For Databricks, the migration process will create permissions for:
- Whatever
get_default_catalog()returns. - All the catalogs from
get_catalog_namesdifferent from the default catalog from (1).
For Databricks, this means we're creating 2 permissions when Unity Catalog is not enabled:
[Databricks].[hive_metastore][Databricks].[spark_catalog]
This in itself is already a problem for the admin — which would should they assign roles to? Either one is problematic, depending on the status of multi_catalog:
With multi_catalog disabled the catalog sent by API calls is null, so it gets replaced with the default catalog, hive_metastore. If the admin assign roles to [Databricks].[spark_catalog] people won't be able to access datasets, because of the name mismatch.
With multi_catalog enabled the only option in the dropdown is spark_catalog. Which means if the admin assigned roles to [Databricks].[hive_metastore] people won't be able to access datasets.
With the change in this PR, everything is consistent, because the default catalog is part of the list of catalogs.
|
@supersetbot label 4.1 |
github-actions
bot
added
the
v4.1
betodealmeida
force-pushed
the
create-perms-db-import
branch
from
3ebe186 to
3705e5d
Compare
(cherry picked from commit 61c0970)
github-actions
bot
added
🍒 4.1.0
🏷️ bot
SUMMARY
A few bugs related to catalogs and permissions:
CreateDatabaseCommandin this case) to prevent duplicate logic (the import/export flow was created before the introduction of commands). For now this PR just adds the logic manually.catalog_permsupdated.get_default_catalog() ⊈ get_catalog_names(), so I fixed it.BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A
TESTING INSTRUCTIONS
Added and updated tests.
ADDITIONAL INFORMATION