Bug description
I reopen an issue about deprecated permissions not deleted after upgrade (previous issue : https://github.com/apache/superset/issues/29504)
Hello after upgrade, deprecated permissions are not deleted.
I use a docker container. At every step, I do : - Run a container, with persistant volume for the database (/app/superset_home) and config (/app/pythonpath) - Execute 'superset db upgrade' - Execute 'superset init'
I tried a migration from 1.5.2 to 5.0.0-RC2 directly or by steps (1.5.2 --> 2.0.0 --> 3.0.0 --> 4.0.2 --> 5.0.0-rc2) For the example, we focus on 'can select star on Superset'
| Version | Permissions count | 'can select star on Superset' |
|---|---|---|
| 1.5.2 | 249 | Present |
| 2.0.0 | 194 | Not present |
| 3.0.0 | 169 | Not present |
| 4.0.2 | 167 | Not present |
| 5.0.0-RC2 | 160 | Not present |
With direct or steps migration, permission count is always increase
| Version | Permissions count | 'can select star on Superset' |
|---|---|---|
| 1.5.2 | 249 | Present |
| ↳ 2.0.0 | 251 | Present |
| ↳ 3.0.0 | 276 | Present |
| ↳ 4.0.2 | 282 | Present |
| ↳ 5.0.0-RC2 | 291 | Present |
| Version | Permissions count | 'can select star on Superset' |
|---|---|---|
| 1.5.2 | 249 | Present |
| ↳ 5.0.0-RC2 | 286 | Present |
In #29504, permissions_cleanup.py is mentionned by dosu but this script is not present in docker container How can I clean deprecated permissions for my container ?
Best regards
Screenshots/recordings
No response
Superset version
master / latest-dev
Python version
3.9
Node version
16
Browser
Chrome
Additional context
No response
Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
To clean deprecated permissions in your Apache Superset Docker container, you can use the clean_perms method from the superset/security/manager.py file. This method is designed to clean up faulty permissions directly within the Superset application. You can invoke this method as part of your Superset initialization or maintenance process.
Here's a code snippet that shows how the clean_perms method is defined and used:
def clean_perms(self) -> None:
"""
Clean up the FAB faulty permissions.
"""
logger.info("Cleaning faulty perms")
pvms = self.get_session.query(PermissionView).filter(
or_(
PermissionView.permission == None, # noqa: E711
PermissionView.view_menu == None, # noqa: E711
)
)
if deleted_count := pvms.delete():
logger.info("Deleted %i faulty permissions", deleted_count)
You can call this method within your Superset application to clean up any deprecated or faulty permissions. The clean_perms method is called in the sync_role_definitions method within the Superset codebase, specifically in the superset/security/manager.py file [1].
To continue talking to Dosu, mention @dosu.
Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other
Comment From: rusackas
I'm not sure if the bot is right (it often is!) but if so, we should run the superset/security/manager.py script at the end of the migration process. Looks like the end of superset/migrations/env.py might be the right spot?
Comment From: xavier-GitHub76
During my superset installations, I finalize the operation by executing the commands : superset db upgrade superset init
The traces of superset init show that the clean_perms function is executed : 2025-04-30 08:40:57,994:INFO:superset.security.manager:Syncing role definition 2025-04-30 08:40:58,080:INFO:superset.security.manager:Syncing Admin perms 2025-04-30 08:40:58,095:INFO:superset.security.manager:Syncing Alpha perms 2025-04-30 08:40:58,108:INFO:superset.security.manager:Syncing Gamma perms 2025-04-30 08:40:58,121:INFO:superset.security.manager:Syncing sql_lab perms 2025-04-30 08:40:58,128:INFO:superset.security.manager:Fetching a set of all perms to lookup which ones are missing 2025-04-30 08:40:58,137:INFO:superset.security.manager:Creating missing datasource permissions. 2025-04-30 08:40:58,154:INFO:superset.security.manager:Creating missing database permissions. 2025-04-30 08:40:58,159:INFO:superset.security.manager:Cleaning faulty perms
but the obsolete permissions persist
Comment From: rusackas
Is this still an issue after upgrading to 5.0?