[security] Refactor security code into SupersetSecurityManager

[timifasubaa]

This PR refactors all the security methods into the extensible SupersetSecurityManager. I left has_access in utils.py for now as it is defined differently from the method with the same name in fab's security manager. I will make that change in another PR.

Historically, superset defined its security methods in different files. All over the code base, there are calls to security methods in security.py, utils.py, fab's security manager and the base superset view. By consolidating all the logic in one place it creates one abstraction for all security in superset and makes the code more understandable.
One example of a change resulting from this consolidation of the security logic is
security.merge_perm(sm, permission_name, view_menu_name)
becoming
sm.merge_perm(permission_name, view_menu_name)
This is much cleaner in several ways as a security object is not receiving another security object as a parameter. There are other examples of methods in utils directly accessing fab security manager's private methods.

@john-bodley @mistercrunch

[codecov-io]

Codecov Report

Merging #4565 into master will decrease coverage by 0.02%.
The diff coverage is 70.95%.

@@            Coverage Diff            @@
##           master   #4565      +/-   ##
=========================================
- Coverage   71.52%   71.5%   -0.03%     
=========================================
  Files         190     190              
  Lines       14927   14935       +8     
  Branches     1102    1102              
=========================================
+ Hits        10677   10679       +2     
- Misses       4247    4253       +6     
  Partials        3       3

Impacted Files	Coverage Δ
superset/connectors/druid/models.py	78.85% <100%> (ø)	⬆️
superset/connectors/sqla/models.py	77.91% <100%> (ø)	⬆️
superset/utils.py	88.12% <100%> (+0.15%)	⬆️
superset/data/__init__.py	100% <100%> (ø)	⬆️
superset/models/helpers.py	87.5% <100%> (ø)	⬆️
superset/models/sql_lab.py	98.59% <100%> (ø)	⬆️
superset/connectors/druid/views.py	68.02% <16.66%> (ø)	⬆️
superset/views/base.py	67.12% <20%> (+8.86%)	⬆️
superset/connectors/sqla/views.py	71.56% <20%> (ø)	⬆️
superset/cli.py	47.74% <33.33%> (-0.65%)	⬇️
... and 5 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f9d85bd...c766500. Read the comment docs.

[timifasubaa]

ping

[mistercrunch]

Why 2 security managers? To me the inheritance scheme should be SupersetSecurityManager (new abstraction) inherits from FAB's SecurityManager, and environment-specific say AirbnbSupersetSecurityManager should be forced to derived SupersetSecurityManager.

I don't think it makes sense to grow in the direction of having many security managers. What's next? DatabaseSecurityManager, DashboardSecurityManager?

The scheme I described is a [necessary] breaking change since I'd assume in most environment have a custom SecurityManager that currently derives FAB's and will need to change to derive Superset's.

An [perhaps compatible] alternative would be a SupersetSecurityManagerMixin that we'd somehow inject into FAB's or the enviornment-specific SecurityManger. Not sure if runtime injection of mixin is an acceptable pattern though.

[john-bodley]

@mistercrunch the thinking was that the default security manager is still tightly coupled with FAB concepts (views/menus) which correspond to security related to the app UI and API. These concepts are irrelevant from a data security perspective and thus the reason for two security managers.

[mistercrunch]

This looks great.

After reading the PR I think it should be in scope to rename sm to security_manager everywhere. Rename all the things!

Curious whether you ran into circular deps issues?

[mistercrunch]

We should absolutely raise with an explicit message with perhaps a link to the UPDATE notes if not issubclass(custom_sm, SupersetSecurityManager)

[mistercrunch]

This could be out-of-scope for this PR, but it would be nice to always be explicit about sm and always call it security_manager (my bad!).

It may be reasonable to take it on as part of this PR.

[john-bodley]

I don’t mind the shortened sm (inline with db and other variables) as it’s used frequently and is considerably shorter than security_manager (2 characters vs. 16).

[mistercrunch]

Nice! Having both security and sm was confusing, we should have a single entry point for all security checks and operations.

[mistercrunch]

Then you could sm = app.config.get('CUSTOM_SECURITY_MANAGER') or SupersetSecurityManager :)

[timifasubaa]

@mistercrunch @john-bodley Done!

[john-bodley]

I'm not certain whether we should be referencing other PRs in the code. Given this is a breaking PR you may want to follow this pattern: #4587.

[john-bodley]

Why is this now needed?

[timifasubaa]

Previously it was called inside of sync_role_definitions and that led to weird cyclical dependencies after moving the method to utils.py.
This also make it clear what steps it takes to initialize rather than bundle them together inside one method.

[timifasubaa]

I added an updating.md as suggested.

[timifasubaa]

Previously it was called inside of sync_role_definitions and that led to weird cyclical dependencies after moving the method to utils.py.
This also make it clear what steps it takes to initialize rather than bundle them together inside one method.

[feng-tao]

should it be merge_perm(perm, view_menu) as the definition is " def merge_perm(self, permission_name, view_menu_name):" ? @timifasubaa @mistercrunch (#4745)