Simplify fab has access lookup

[jhtimmins]

Simplifies the FAB security manager code by doing the following.

1. Modifies permission lookup by accessing User.perms property method and checking if a permission pair is included in the user's list of perms.
2. Extends AnonymousUserMixin to create AnonymousUser, which has both perms and roles property methods. Removes the need for custom auth logic for anonymous users.
3. Removes helper methods that provide little value, including:

• .get_readable_dags()
• .current_user_has_permissions()
• ._has_resource_access()
• .user_has_perms()
• .user_has_roles()

4. Removes unused methods:

• SecurityManager.is_item_public()

5. Moves the code to create a root dag resource name to Permissions.resource_name_for_dag()

This is the next piece of the permissions refactor.

[andrewgodwin]

I think you may need to do this as a single query for efficiency reasons?

[jhtimmins]

I added lazy=joined to several model fields, which causes prefetching. It now runs 11 queries instead of 49.

[jhtimmins]

@andrewgodwin that said, this PR does add some overall time to the tests. pytest tests/views --with-db-init runs in 1:53 on main and 2:00 on my branch. How significant is that?

[uranusjr]

I feel the previous version is a bit easier to understand (i.e. “not anonymous but does not have any permissions”)

Suggested change

	if not (g.user.is_anonymous or g.user.perms):
	if not g.user.is_anonymous and not g.user.perms:

[ashb]

See this one @jhtimmins

[ashb]

LGTM -- a few small comments to address or say "naaah" to

[ashb]

Suggested change

	def get_permissions_from_roles(self, role_id: int) -> List[Permission]:
	def get_permissions_from_role(self, role_id: int) -> List[Permission]:

Should be singular given it takes a single role_id. (Possibly also called _from_role_id, but don't mind on that one)

[jhtimmins]

Its actually not used anymore so should be removed entirely

[ashb]

from airflow.compat.functools import cached_property and then:

Suggested change

	@property
	def perms(self):
	if not self._perms:
	self._perms = set()
	for role in self.roles:
	self._perms.update({(perm.action.name, perm.resource.name) for perm in role.permissions})
	return self._perms
	@cached_property
	def perms(self):
	_perms = set()
	for role in self.roles:
	_perms.update({(perm.action.name, perm.resource.name) for perm in role.permissions})
	return _perms

And then del self.perms in the @roles.setter to clear the cache.

(This is all functionally the same, I just find the delcarative @cached_property clearer to read.)

[jhtimmins]

I'll make this change in a follow up PR

[ashb]

See this one @jhtimmins

[ashb]

Unrelated change in this file?

[jhtimmins]

@ashb The most recent changes address a bug that only arises with MSSQL. Bc my changes to the permission models include prefetching of data, the parameters.apply_sorting() method doesn't work anymore https://github.com/apache/airflow/blob/main/airflow/api_connexion/parameters.py#L99. It's a utility method for allowing users to pass sort parameters to the API, and it then adds the order_by string to the query. This is problematic for joined queries, since sqlalchemy uses aliases to reference the joins and subqueries. MSSQL has a different alias naming scheme than the other DBs.

My change addresses the two API functions that query on the permission models, and replaces the calls to apply_sorting() with localized code to handle the different sort arguments.

I've duplicated some code, which I could remove by modifying the original .apply_sorting() method, but to prevent scope creep I'd rather do that in a future PR.