fix(security): dbs/clusters perm

[john-bodley]

SUMMARY

Though both the Database and DruidCluster have a perm property (which is merely a concatenation of either the database or cluster name and record ID), the property only maps to a physical column for the Database model.

The perm column exists is so various permission based queries can be executed to determine if a user can access said data entities. The reason it is not a physical column for the DruidCluster model is probably an oversight as this logic is rarely used. Note this PR addresses the inconsistency.

Rather than storing the perm in the database I thought there was merit in deprecating the dbs.perm column and replacing it with a SQLAlchemy hybrid attribute. These hybrid attributes act like virtual columns and function in both Python and SQL (a SQL expression has been provided to deal with the casting of the id column to a string). If people are ok with these hybrid attributes I wonder if there's merit in deprecating all of the physical perm columns.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TEST PLAN

CI and added additional unit tests.

ADDITIONAL INFORMATION

• Has associated issue:
• Changes UI
• Requires DB Migration.
• Confirm DB Migration upgrade and downgrade tested.
• Introduces new feature or API
• Removes existing feature or API

[villebro]

Very nice! First pass comments.

[villebro]

Is there some reason we want to keep this around and not just reference perm wherever needed?

[john-bodley]

@villbro it’s required here. Note the set_perm callback is still required as it has other logic besides merely setting the perm column. For the dbs and clusters table perm and get_perm are equivalent and hence no database record will be updated (this has always been the case for the clusters table).

[bkyryliuk]

it is also used here: https://github.com/apache/incubator-superset/blob/550e78ff7c02491717960d39ef0bb861aba0f977/superset/security/manager.py#L820
https://github.com/apache/incubator-superset/blob/8e23d4f369f35724b34b14def8a5a8bafb1d2ecb/superset/models/core.py#L659
logic that keeps FAB security in sync with the other models

[villebro]

I'm surprised type checking has to be muted. Apparently mypy isn't comfortable with hybrid properties?

[john-bodley]

I think it struggles to identify which method this refers to.

[bkyryliuk]

This is quite good step towards the cleanup, thanks!
1 thing would be useful to think about -> automatic FAB permission rename on the DB renames

1 more thing would be nice to see in this PR -> keeping FAB with DB permission in sync, e.g. cleaning

[bkyryliuk]

it is also used here: https://github.com/apache/incubator-superset/blob/550e78ff7c02491717960d39ef0bb861aba0f977/superset/security/manager.py#L820
https://github.com/apache/incubator-superset/blob/8e23d4f369f35724b34b14def8a5a8bafb1d2ecb/superset/models/core.py#L659
logic that keeps FAB security in sync with the other models

[john-bodley]

@bkyryliuk could you elaborate some more in relation to:

1 thing would be useful to think about -> automatic FAB permission rename on the DB renames

and

1 more thing would be nice to see in this PR -> keeping FAB with DB permission in sync, e.g. cleaning

If you referring to the possible cascading of renames (I'm not sure if the database perm relates to the datasource per), I think if we moved completely to hybrid attributes this would be solved.

[bkyryliuk]

@john-bodley actually scratch that, looks like it is already happening in the sync. I've seen some abandoned permissions, but there is probably a difference reason for them.

@bkyryliuk could you elaborate some more in relation to:

1 thing would be useful to think about -> automatic FAB permission rename on the DB renames

and

1 more thing would be nice to see in this PR -> keeping FAB with DB permission in sync, e.g. cleaning

If you referring to the possible cascading of renames (I'm not sure if the database perm relates to the datasource per), I think if we moved completely to hybrid attributes this would be solved.