Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warnings about refusal to delete permissions on XComModelView #10331

Closed
alexbegg opened this issue Aug 14, 2020 · 17 comments
Closed

Warnings about refusal to delete permissions on XComModelView #10331

alexbegg opened this issue Aug 14, 2020 · 17 comments
Labels
affected_version:2.1 Issues Reported for 2.1 area:auth area:webserver Webserver related Issues kind:bug This is a clearly a bug
Milestone
Airflow 2.2.5

Comments

@alexbegg
Copy link
Contributor

alexbegg commented Aug 14, 2020
edited
Loading

Apache Airflow version:
1.10.11

Kubernetes version (if you are using kubernetes) (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.6", GitCommit:"dff82dc0de47299ab66c83c626e08b245ab19037", GitTreeState:"clean", BuildDate:"2020-07-16T00:04:31Z", GoVersion:"go1.14.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-13T06:39:58Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}

Environment:

  • Cloud provider or hardware configuration: Azure Kubernetes Service
  • OS (e.g. from /etc/os-release): Debian GNU/Linux 10 (buster)
  • Kernel (e.g. uname -a): Linux airflow-web-65cb7d9cb8-qzcbv 4.15.0-1089-azure Http protocol sensor #99~16.04.1-Ubuntu SMP Fri Jun 5 15:30:32 UTC 2020 x86_64 GNU/Linux
  • Install tools: Helm chart "stable/airflow"
  • Others:

What happened:

After upgrading from 1.10.10 to 1.10.11 (and also with new installs of 1.10.11) there are some permission warnings in the webserver logs:

[2020-08-14 22:19:30,022] {manager.py:545} WARNING - Refused to delete permission view, assoc with role exists XComModelView.can_add Admin
[2020-08-14 22:19:30,038] {manager.py:545} WARNING - Refused to delete permission view, assoc with role exists XComModelView.can_edit Admin

It seems to be directly related to #9614 that @kaxil introduced for 1.10.11 which removes the can_add and can_edit permissions from XComModelView, but Airflow can not delete the permissions from that view because relations to those permissions still exist on the "Admin" and "Op" roles.

In more technical terms, the two permissions can't be deleted from ab_permission_view table because each have relations to both the Admin's and Op's role_ids in the ab_permission_view_role table.

What you expected to happen:
No warnings with Airflow 1.10.11

How to reproduce it:

  1. Install 1.10.11
  2. Either:
    1. View the logs of the webserver
    2. Run any airflow CLI command, such as airflow list_users and view the outputted log messages
  3. After a few lines of the log you will see the warnings

Anything else we need to know:

If those 4 role permissions are removed from the ab_permission_view_role table the warnings should stop. I think a migration needs to be added, or some logic that cleans up these role permissions is failing to do its job.
@alexbegg alexbegg added the kind:bug This is a clearly a bug label Aug 14, 2020
@boring-cyborg
Copy link

boring-cyborg bot commented Aug 14, 2020

Thanks for opening your first issue here! Be sure to follow the issue template!

@kaxil kaxil self-assigned this Aug 14, 2020
@tooptoop4
Copy link
Contributor

tooptoop4 commented Oct 7, 2020
edited
Loading

i get same warning on 1.10.12

also get this:

[2020-10-07 09:10:15,238] {manager.py:440} ERROR - Add View Menu Error: (MySQLdb._exceptions.IntegrityError) (1062, "Duplicate entry 'mydagname' for key 'name'")
[SQL: INSERT INTO ab_view_menu (name) VALUES (%s)]

@kaxil kaxil added this to the Airflow 1.10.13 milestone Oct 7, 2020
@mik-laj mik-laj added the area:webserver Webserver related Issues label Oct 9, 2020
@potiuk
Copy link
Member

potiuk commented Dec 7, 2020

Hey @kaxil - are we doing anything about it in 2.0.0rc1? Or should we postpone?

@kaxil kaxil modified the milestones: Airflow 2.0.0rc1, Airflow 2.1 Dec 7, 2020
@kaxil
Copy link
Member

kaxil commented Dec 7, 2020

Yeah not critical --- just annoying warning. Moved to 2.1

@zachliu
Copy link
Contributor

zachliu commented Jan 11, 2021

i got the same warnings on 2.0.0 (release:2.0.0+ab5f770bfcd8c690cbe4d0825896325aca0beeca):

2021-01-11T12:13:35.605-05:00	[2021-01-11 17:13:35,604] {{manager.py:547}} WARNING - Refused to delete permission view, assoc with role exists Airflow.can_pickle_info Admin

2021-01-11T12:13:35.613-05:00	[2021-01-11 17:13:35,613] {{manager.py:547}} WARNING - Refused to delete permission view, assoc with role exists Airflow.can_elasticsearch Admin

2021-01-11T12:13:35.621-05:00	[2021-01-11 17:13:35,621] {{manager.py:547}} WARNING - Refused to delete permission view, assoc with role exists Airflow.can_dagrun_success Admin

...

i checked the database, it's been migrated successfully alembic_version is e959f08ac86c

@kaxil
Copy link
Member

kaxil commented Jan 11, 2021

i got the same warnings on 2.0.0 (release:2.0.0+ab5f770bfcd8c690cbe4d0825896325aca0beeca):

2021-01-11T12:13:35.605-05:00	[2021-01-11 17:13:35,604] {{manager.py:547}} WARNING - Refused to delete permission view, assoc with role exists Airflow.can_pickle_info Admin

2021-01-11T12:13:35.613-05:00	[2021-01-11 17:13:35,613] {{manager.py:547}} WARNING - Refused to delete permission view, assoc with role exists Airflow.can_elasticsearch Admin

2021-01-11T12:13:35.621-05:00	[2021-01-11 17:13:35,621] {{manager.py:547}} WARNING - Refused to delete permission view, assoc with role exists Airflow.can_dagrun_success Admin

...

i checked the database, it's been migrated successfully alembic_version is e959f08ac86c

Yeah currently we don't have migrations that remove those view permission -- but they are harmless warning that you can ignore

cc @jhtimmins

@kaxil kaxil removed their assignment Jan 18, 2021
@kaxil
Copy link
Member

kaxil commented Apr 27, 2021

cc @jedcunningham Can you take a look at it -- the warning will show once you update from 1.10.x

@jhtimmins jhtimmins modified the milestones: Airflow 2.1, Airflow 2.1.1 May 12, 2021
@gshiba gshiba mentioned this issue Jun 16, 2021
Closed
@kaxil kaxil modified the milestones: Airflow 2.1.1, Airflow 2.1.2 Jun 22, 2021
@eladkal eladkal added the affected_version:2.1 Issues Reported for 2.1 label Jun 22, 2021
@eladkal
Copy link
Contributor

eladkal commented Jun 22, 2021

Adding 2.1 label due to report of #16155

@ashb ashb modified the milestones: Airflow 2.1.2, Airflow 2.1.3 Jul 7, 2021
@kosteev
Copy link
Contributor

kosteev commented Jul 20, 2021

For Airflow 2.1.1 similar warnings are seen in the logs:
"""
WARNING - Refused to delete permission view, assoc with role exists My Profile.userinfoedit Admin
WARNING - Refused to delete permission view, assoc with role exists My Profile.can_edit Admin
"""

@iicky
Copy link

iicky commented Jul 20, 2021

Same here for version 2.1.2 - just appeared on upgrade.

[2021-07-20 21:40:46,109] {manager.py:565} WARNING - Refused to delete permission view, assoc with role exists View Menus.can_create Admin
[2021-07-20 21:40:46,135] {manager.py:565} WARNING - Refused to delete permission view, assoc with role exists View Menus.can_edit Admin
[2021-07-20 21:40:46,161] {manager.py:565} WARNING - Refused to delete permission view, assoc with role exists View Menus.can_delete Admin
[2021-07-20 21:40:46,308] {manager.py:565} WARNING - Refused to delete permission view, assoc with role exists View Menus.can_create Admin
[2021-07-20 21:40:46,340] {manager.py:565} WARNING - Refused to delete permission view, assoc with role exists View Menus.can_edit Admin
[2021-07-20 21:40:46,370] {manager.py:565} WARNING - Refused to delete permission view, assoc with role exists View Menus.can_delete Admin
[2021-07-20 21:40:46,640] {manager.py:565} WARNING - Refused to delete permission view, assoc with role exists View Menus.can_create Admin
[2021-07-20 21:40:46,666] {manager.py:565} WARNING - Refused to delete permission view, assoc with role exists View Menus.can_edit Admin
[2021-07-20 21:40:46,688] {manager.py:565} WARNING - Refused to delete permission view, assoc with role exists View Menus.can_delete Admin
[2021-07-20 21:40:46,816] {manager.py:565} WARNING - Refused to delete permission view, assoc with role exists DAG Runs.clear Admin
[2021-07-20 21:40:47,037] {manager.py:565} WARNING - Refused to delete permission view, assoc with role exists DAG Runs.clear Admin
[2021-07-20 21:40:47,326] {manager.py:565} WARNING - Refused to delete permission view, assoc with role exists DAG Runs.clear Admin

@kaxil kaxil removed this from the Airflow 2.1.3 milestone Jul 27, 2021
@kaxil kaxil added this to the Airflow 2.2 milestone Jul 27, 2021
@Nimesh-K-Makwana
Copy link

Nimesh-K-Makwana commented Aug 17, 2021
edited
Loading

And solution? Facing similar problem in airflow 2.1.1. Unable to delete or edit list user from airflow UI (being Admin also is not allowing to edit permission of other users).

@kaxil kaxil modified the milestones: Airflow 2.2, 2.2.1 Sep 14, 2021
@krishnacdunuka
Copy link

krishnacdunuka commented Oct 4, 2021
edited
Loading

I solved WARNING - Refused to delete permission view, assoc with role exists DAG Runs.clear Admin after upgrading to Airflow 2.1.4 by removing "clear on DAG Runs" permission from Admin role. Likewise try doing for other delete refusal warnings

@zachliu
Copy link
Contributor

zachliu commented Oct 4, 2021
edited
Loading

I solved WARNING - Refused to delete permission view, assoc with role exists DAG Runs.clear Admin after upgrading to Airflow 2.1.4 by removing "clear on DAG Runs" permission from Admin role. Likewise try doing for other delete refusal warnings

interesting, i tried what you said unfortunately it didn't stop the warning messages (did you have to reboot the web server?) and i can still clear on DAG Runs as an admin. what does this permission do? 😹

@ashb ashb modified the milestones: Airflow 2.2.1, Airflow 2.2.2 Oct 14, 2021
@kaxil kaxil modified the milestones: Airflow 2.2.2, Airflow 2.3.0 Nov 1, 2021
@char101
Copy link

char101 commented Dec 13, 2021

Check base_permissions in https://github.com/apache/airflow/blob/main/airflow/www/views.py#L3982, I think it should equal the values in the table ab_permission_view.

For example to fix this message WARNING - Refused to delete permission view, assoc with role exists DAG Runs.can_create User, add permissions.ACTION_CAN_CREATE to base_permissions in the class DagRunModelView.

@kaxil
Copy link
Member

kaxil commented Dec 13, 2021

@blag Can you take a look at this when you have time plz

@jedcunningham
Copy link
Member

I think this might have been fixed in #21483.

@kaxil kaxil closed this as completed Mar 23, 2022
@kaxil kaxil modified the milestones: Airflow 2.3.0, Airflow 2.2.5 Mar 23, 2022
@kaxil
Copy link
Member

kaxil commented Mar 23, 2022

We can reopen if someone reports it after 2.2.5

@SergeyBychkov SergeyBychkov mentioned this issue Sep 13, 2022
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affected_version:2.1 Issues Reported for 2.1 area:auth area:webserver Webserver related Issues kind:bug This is a clearly a bug
Projects
None yet
Milestone
Airflow 2.2.5
Development

No branches or pull requests