fix: prevent multiple pvm errors on migration

[eschutho]

SUMMARY

We're seeing some errors when running the catalog migration because of some PVMs that already exist. In that case, I'm not going to update the PVM.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[sadpandajoe]

might be good to add these into a helper function call create_index that will do the check and add it like here #31303

[eschutho]

Nice, I was thinking of a helper function. I don't want to create a conflict with that PR. Perhaps we can use his helper function after it's merged.

[eschutho]

@betodealmeida not sure if you would prefer to return pvms to be deleted instead of deleting them here

[mistercrunch]

Do we really need to delete anything here? Should we just rename the existing ones and create new ones for new catalogs? The old ones are attached to roles already and we probably want to maintain those associations.

[betodealmeida]

@mistercrunch the current code does that, we get the current perm (where the catalog name is null, see how we compute current_perm in line 492) and change it to point to the new perm name new_perm, which includes the default catalog name (line 497). Then we simply rename the existing PVM to have the new name, so that existing associations like roles are preserved (line 508 on the left).

In regards to this PR, I don't think we should delete existing PVMs. First, because they should not exist... the only reason I can imagine why it would exist is bad upgrade-downgrade that didn't rename the PVMs correctly. If that happens, I think it's better to just keep the existing PVM, since it already has the correct name, and might be associated with roles.

[eschutho]

@betodealmeida any thoughts whether you think this change should stay with the new migration or in a different PR? My thought is to keep them together so that tables don't get out of sync, but I also see the benefit of splitting them up.

[mistercrunch]

haven't looked at the queries against that table, but could be that a compound index work well here. I saw some queries that predicate on view_menu_id and some on both view_menu_id and permission_id. If permission is never predicated by itself, the compound on view_menu_id and permission_id (in that order) would cover those

[dpgaspar]

Adding more info here, FAB already has a compound index since it defines a unique constraint on these FK: https://github.com/preset-io/Flask-AppBuilder/blob/master/flask_appbuilder/security/sqla/models.py#L73

Checked the security converge code, and we have the following queries:

session.query(ViewMenu).filter(ViewMenu.name == view_name).one_or_none()

session.query(Permission).filter(Permission.name == permission_name).one_or_none()

session.query(PermissionView)
        .filter(
            PermissionView.view_menu_id == view_menu.id,
            PermissionView.permission_id == permission.id,
        )

        session.query(PermissionView)
        .join(Permission)
        .join(ViewMenu)
        .filter(ViewMenu.name == view_name, Permission.name == permission_name)

            session.query(PermissionView)
            .join(Permission)
            .filter(Permission.name == old_permission_name)

            session.query(PermissionView)
            .join(ViewMenu)
            .filter(ViewMenu.name == old_view_name)

We have indexes to efficiently query all of these:

• index on ViewMenu.name
• index on Permission.name
• Indexes on Permission.id and ViewMenu.id

Yet we can have more eficient joins by adding indexes on the FK for ab_permission_view_role and ab_permission_view
dpgaspar/Flask-AppBuilder#2293

[eschutho]

Thanks @dpgaspar! I'll remove the changes here and we'll bring them in from FAB then.

[betodealmeida]

@mistercrunch the current code does that, we get the current perm (where the catalog name is null, see how we compute current_perm in line 492) and change it to point to the new perm name new_perm, which includes the default catalog name (line 497). Then we simply rename the existing PVM to have the new name, so that existing associations like roles are preserved (line 508 on the left).

In regards to this PR, I don't think we should delete existing PVMs. First, because they should not exist... the only reason I can imagine why it would exist is bad upgrade-downgrade that didn't rename the PVMs correctly. If that happens, I think it's better to just keep the existing PVM, since it already has the correct name, and might be associated with roles.

[betodealmeida]

Same here, I would just leave the existing one, something like:

            # check to see if the new name already exists
            if not session.query(ViewMenu).filter_by(name=new_name).one_or_none():
                # new perm doesn't exist, rename existing one to the new name
                pvms_to_rename.append((pvm, new_name))

[mistercrunch]

Yes, deleting is yet more potential locks. I also think there are methods/CLI commands that will clean up perms that should not exist. I forgot whether it's a fab feature or not or what triggers it, but may even be on app startup (?)

[mistercrunch]

LGTM