feat: Update database permissions in async mode #32231
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dosubot
bot
added
change:backend
Vitor-Avila
commented
Feb 12, 2025
Vitor-Avila
commented
Feb 12, 2025
|
|
||
| logger = logging.getLogger(__name__) | ||
|
|
||
|
|
||
| def ping(engine: Engine) -> bool: |
There was a problem hiding this comment.
Logic moved from superset/commands/database/test_connection.py.
Vitor-Avila
commented
Feb 12, 2025
![korbit-ai[bot]](https://avatars.githubusercontent.com/in/322216?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review by Korbit AI
Korbit automatically attempts to detect when you fix issues in new commits.
| Category | Issue | Fix Detected |
|---|---|---|
 |
Silent Error Handling in Database Ping ▹ view | |
 |
N+1 Query Pattern in Permission Updates ▹ view | |
|
Inconsistent Catalog Connection Error Handling ▹ view | |
|
Incomplete Error Handling in Permission Resync ▹ view | |
 |
Unsafe User Impersonation in Celery Task ▹ view | |
|
Unsafe User Existence Check ▹ view | ✅ |
 |
Misspelled Error Message ▹ view | |
 |
Default Async Mode Contradicts Intent ▹ view |
Files scanned
| File Path | Reviewed |
|---|---|
| superset/commands/database/utils.py | ✅ |
| superset/tasks/permissions.py | ✅ |
| superset/constants.py | ✅ |
| superset/commands/database/resync_permissions_async.py | ✅ |
| superset/commands/database/exceptions.py | ✅ |
| superset/commands/database/update.py | ✅ |
| superset/views/base.py | ✅ |
| superset/commands/database/resync_permissions.py | ✅ |
| superset-frontend/src/pages/DatabaseList/index.tsx | ✅ |
| superset/databases/api.py | ✅ |
| superset/config.py | ✅ |
Explore our documentation to understand the languages and file types we support and the files we ignore.
Need a new review? Comment
/korbit-reviewon this PR and I'll review your latest changes.Korbit Guide: Usage and Customization
Interacting with Korbit
- You can manually ask Korbit to review your PR using the
/korbit-reviewcommand in a comment at the root of your PR.- You can ask Korbit to generate a new PR description using the
/korbit-generate-pr-descriptioncommand in any comment on your PR.- Too many Korbit comments? I can resolve all my comment threads if you use the
/korbit-resolvecommand in any comment on your PR.- Chat with Korbit on issues we post by tagging @korbit-ai in your reply.
- Help train Korbit to improve your reviews by giving a 👍 or 👎 on the comments Korbit posts.
Customizing Korbit
- Check out our docs on how you can make Korbit work best for you and your team.
- Customize Korbit for your organization through the Korbit Console.
Feedback and Support
Comment on lines
267
to
276
| for dataset in DatabaseDAO.get_datasets( | ||
| self.db_connection_id, | ||
| catalog=catalog, | ||
| schema=schema, | ||
| ): | ||
| dataset.catalog_perm = new_catalog_perm_name | ||
| dataset.schema_perm = new_schema_perm_name | ||
| for chart in DatasetDAO.get_related_objects(dataset.id)["charts"]: | ||
| chart.catalog_perm = new_catalog_perm_name | ||
| chart.schema_perm = new_schema_perm_name |
There was a problem hiding this comment.
N+1 Query Pattern in Permission Updates 
Tell me more
What is the issue?
Nested loops performing database queries for each dataset and its related charts, without batching or bulk updates.
Why this matters
This can lead to N+1 query performance issues when dealing with large numbers of datasets and charts, causing excessive database round trips.
Suggested change ∙ Feature Preview
Batch the permission updates using bulk database operations. Consider using a bulk update query or collecting all objects first and then updating them in a single transaction:
datasets = DatabaseDAO.get_datasets(self.db_connection_id, catalog=catalog, schema=schema)
dataset_ids = [d.id for d in datasets]
# Bulk update datasets
DatasetDAO.bulk_update_permissions(dataset_ids,
catalog_perm=new_catalog_perm_name,
schema_perm=new_schema_perm_name)
# Bulk update related charts
DatasetDAO.bulk_update_chart_permissions(dataset_ids,
catalog_perm=new_catalog_perm_name,
schema_perm=new_schema_perm_name)
💬 Chat with Korbit by mentioning @korbit-ai.
Vitor-Avila
commented
Feb 12, 2025
Vitor-Avila
force-pushed
the
feat/async-db-perm-sync
branch
from
848482a to
2d60c32
Compare
betodealmeida
approved these changes
Feb 24, 2025
| @@ -88,7 +87,14 @@ def run(self) -> Model: | |||
| database.set_sqlalchemy_uri(database.sqlalchemy_uri) | |||
| ssh_tunnel = self._handle_ssh_tunnel(database) | |||
| try: | |||
| self._refresh_catalogs(database, original_database_name, ssh_tunnel) | |||
| current_username = get_username() | |||
| SyncPermissionsCommand( | |||
| @@ -106,3 +107,35 @@ def data_loader( | |||
| return PandasDataLoader( | |||
| example_db_engine, pandas_loader_configuration, table_to_df_convertor | |||
| ) | |||
|
|
|||
|
|
|||
| def with_config(override_config: dict[str, Any]): | |||
9 tasks
Vitor-Avila
force-pushed
the
feat/async-db-perm-sync
branch
from
f394d86 to
9fe2c74
Compare
betodealmeida
approved these changes
Feb 28, 2025
| old_db_connection_name=old_db_connection_name, | ||
| db_connection=db_connection, | ||
| ssh_tunnel=ssh_tunnel, | ||
| ).sync_database_permissions() |
There was a problem hiding this comment.
The fact that we're calling a specific method of the command instead of .run() makes me think that this should've been a function instead of a method (since technically we always want to call only .run() when interacting with a command). But this is fine for now, it's just a nit.
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
Note: To avoid nested transactions, this PR depends on: #32401
Currently, in order to make a new schema or catalog available to be used in Roles, users would need to perform a dummy update to the DB connection (which triggers a permission re-sync). Also, this re-sync is executed in synchronous mode, meaning that the DB connection dialog (and the API request) are kept open until it's fully processed.
This is not ideal for a few different reasons:
This PR moves this logic to dedicated commands, supporting the sync mode approach (default/current behavior) and also an async mode (delegating the operation to a celery task). A dedicated endpoint is also added, allowing users to trigger a re-sync without having to edit the connection.
I'm planning on doing a follow up specifically for the update DB connection flow, but decided to have a first PR mostly focused on adding the feature.
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
After
TESTING INSTRUCTIONS
Tests added.
ADDITIONAL INFORMATION