Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clean up deprecated data permission types #40545

Merged
merged 16 commits into from
Apr 4, 2024
Merged

Clean up deprecated data permission types #40545

merged 16 commits into from
Apr 4, 2024

Conversation

noahmoss
Copy link
Member

@noahmoss noahmoss commented Mar 24, 2024
edited

This PR removes the old data-access and native-query-editing permissions entirely: from the DB and from the code. This ensures that everything is migrated over to view-data and create-queries.

I've also updated a couple small spots that were still using the old permissions which slipped through the cracks, and updated a lot of tests that were still relying on the old permission types.

@noahmoss noahmoss changed the base branch from master to enforce-new-permissions March 24, 2024 19:52
@noahmoss noahmoss marked this pull request as ready for review March 24, 2024 19:53
@metabase-bot metabase-bot bot added the .Team/AdminWebapp Admin and Webapp team label Mar 24, 2024
@replay-io replay.io
Copy link

replay-io bot commented Mar 24, 2024
edited

Status In Progress ↗︎ 60 / 68
Commit 1784393
Results
⚠️ 7 Flaky
2382 Passed

@noahmoss noahmoss requested a review from camsaul as a code owner March 25, 2024 19:18
Base automatically changed from enforce-new-permissions to nm-split-data-access-migration March 26, 2024 12:22
@noahmoss noahmoss force-pushed the nm-split-data-access-migration branch from feb5f5a to d32026d Compare March 26, 2024 14:05
@noahmoss noahmoss force-pushed the nm-clean-up-old-data-permission-types branch from 6976adf to ec4295c Compare March 26, 2024 14:06
This was referenced Mar 26, 2024
Merged
Merged
@noahmoss Graphite App
Copy link
Member Author

noahmoss commented Mar 26, 2024
edited

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @noahmoss and the rest of your teammates on Graphite Graphite

@noahmoss noahmoss mentioned this pull request Mar 26, 2024
Merged
@noahmoss noahmoss force-pushed the nm-split-data-access-migration branch 2 times, most recently from 950a0b9 to 6e3bda6 Compare March 27, 2024 21:09
@noahmoss noahmoss force-pushed the nm-clean-up-old-data-permission-types branch from ec4295c to 6cd0d75 Compare March 27, 2024 21:09
@noahmoss noahmoss force-pushed the nm-split-data-access-migration branch from 6e3bda6 to f030141 Compare March 28, 2024 13:52
@noahmoss noahmoss force-pushed the nm-clean-up-old-data-permission-types branch from 6cd0d75 to f3a6c7f Compare March 28, 2024 13:52
@noahmoss noahmoss force-pushed the nm-split-data-access-migration branch from f030141 to 7b4db54 Compare March 28, 2024 20:33
@noahmoss noahmoss force-pushed the nm-clean-up-old-data-permission-types branch from 4536e3f to a7e1a7d Compare March 28, 2024 20:33
@noahmoss noahmoss force-pushed the nm-split-data-access-migration branch from 7b4db54 to 438e735 Compare March 29, 2024 13:37
@noahmoss noahmoss force-pushed the nm-clean-up-old-data-permission-types branch from 6509eaa to 3d42ab1 Compare March 29, 2024 15:35
@noahmoss noahmoss mentioned this pull request Mar 29, 2024
Merged
@noahmoss noahmoss force-pushed the nm-split-data-access-migration branch from e66246e to 42c32c7 Compare March 29, 2024 17:28
@noahmoss noahmoss force-pushed the nm-clean-up-old-data-permission-types branch from bfe1635 to a352a2d Compare March 29, 2024 17:28
@noahmoss noahmoss mentioned this pull request Apr 1, 2024
Merged
@noahmoss noahmoss force-pushed the nm-clean-up-old-data-permission-types branch from a352a2d to 8fac4cd Compare April 1, 2024 20:29
@noahmoss noahmoss changed the base branch from nm-split-data-access-migration to nm-split-data-perms-in-graph-ui April 1, 2024 20:30
noahmoss
noahmoss commented Apr 1, 2024
View reviewed changes
enterprise/backend/src/metabase_enterprise/sandbox/models/group_table_access_policy.clj
Comment on lines +199 to +201
;; Remove native query access to the DB when saving a sandbox
(when (= (data-perms/table-permission-for-group group_id :perms/create-queries db-id table_id) :query-builder-and-native)
(data-perms/set-database-permission! group_id db-id :perms/create-queries :query-builder)))
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's a spot that still needed to be migrated — we need to ensure that when you save a sandbox, we correctly revoke native access

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice find, whoops.

resources/migrations/001_update_migrations.yaml
changes:
- sql:
sql: >
DELETE FROM data_permissions where perm_type = 'perms/data-access' OR perm_type = 'perms/native-query-editing';
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's the new migration

src/metabase/models/data_permissions.clj
Comment on lines -204 to -205
For permissions which can be set at the table-level or the database-level, this function will return the database-level
permission if the user has it."
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed this as it is inaccurate

src/metabase/models/data_permissions/graph.clj
@@ -383,12 +312,34 @@
(when new-db-perms
(data-perms/set-database-permission! group-id db-id :perms/create-queries new-db-perms))))

(defn- update-table-level-view-data-permissions!
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are needed to support setting legacy-no-self-service at the table-level. It shouldn't be set in practice (and should be disallowed by the FE) but the BE should allow it for testing purposes.

johnswanson
johnswanson approved these changes Apr 2, 2024
View reviewed changes
Copy link
Contributor

@johnswanson johnswanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 nice!

e2e/support/commands/permissions/sandboxTable.js
@@ -25,7 +25,7 @@ Cypress.Commands.add(
[db_id]: {
"view-data": {
[schema]: {
[table_id]: "segmented",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, good catch.

enterprise/backend/src/metabase_enterprise/sandbox/api/util.clj Outdated
(throw (ex-info (str (tru "No current user found"))
{:status-code 403}))))))
(if *current-user-id*
(let [enforced-sandboxes (enforced-sandboxes-for *current-user-id*)]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this functionally different than before?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope — I think I changed this while trying to fix a different issue and didn't revert it. I'll switch it back.

enterprise/backend/src/metabase_enterprise/sandbox/models/group_table_access_policy.clj
Comment on lines +199 to +201
;; Remove native query access to the DB when saving a sandbox
(when (= (data-perms/table-permission-for-group group_id :perms/create-queries db-id table_id) :query-builder-and-native)
(data-perms/set-database-permission! group_id db-id :perms/create-queries :query-builder)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice find, whoops.

@noahmoss noahmoss force-pushed the nm-clean-up-old-data-permission-types branch from 8fac4cd to 3c15764 Compare April 3, 2024 13:00
@metabase-bot metabase-bot bot added the visual Run Percy visual testing label Apr 3, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 3, 2024

Codenotify: Notifying subscribers in CODENOTIFY files for diff 28b97c8...3c15764.

Notify File(s)
@alxnddr frontend/src/metabase/visualizations/components/TableInteractive/TableInteractive.jsx
frontend/src/metabase/visualizations/components/TableInteractive/TableInteractive.module.css
frontend/src/metabase/visualizations/visualizations/Gauge/Gauge.jsx
frontend/src/metabase/visualizations/visualizations/PieChart/PieChart.jsx
frontend/src/metabase/visualizations/visualizations/PieChart/PieChart.unit.spec.js
@kdoh frontend/src/metabase/ui/components/overlays/Popover/index.tsx
frontend/src/metabase/ui/theme.ts
@ranquild frontend/src/metabase/home/components/HomeXraySection/HomeXraySection.tsx

@noahmoss noahmoss force-pushed the nm-clean-up-old-data-permission-types branch from 3c15764 to e100732 Compare April 3, 2024 13:20
@noahmoss noahmoss removed the visual Run Percy visual testing label Apr 3, 2024
@noahmoss noahmoss force-pushed the nm-clean-up-old-data-permission-types branch from 0df3b50 to 1784393 Compare April 4, 2024 13:34
@noahmoss noahmoss merged commit 49f4a71 into nm-split-data-perms-in-graph-ui Apr 4, 2024
104 checks passed
@noahmoss noahmoss deleted the nm-clean-up-old-data-permission-types branch April 4, 2024 14:54
This was referenced Apr 5, 2024
Merged
Merged
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnswanson johnswanson johnswanson approved these changes

@camsaul camsaul Awaiting requested review from camsaul

Assignees

@noahmoss noahmoss

Labels
.Team/AdminWebapp Admin and Webapp team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@noahmoss @johnswanson