[AIRFLOW-XXX] Add a doc about fab security

[feng-tao]

Add a doc about fab security.

[feng-tao]

PTAL @jgao54 @kaxil @ashb

[feng-tao]

PTAL @XD-DENG

[XD-DENG]

Two nits.

[feng-tao]

[ci skip]

[feng-tao]

@XD-DENG , PR updated. PTAL

[codecov-io]

Codecov Report

Merging #4595 into master will increase coverage by <.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #4595      +/-   ##
==========================================
+ Coverage   74.29%   74.29%   +<.01%     
==========================================
  Files         424      424              
  Lines       27860    27860              
==========================================
+ Hits        20698    20699       +1     
+ Misses       7162     7161       -1

Impacted Files	Coverage Δ
airflow/utils/dag_processing.py	59.92% <0%> (+0.17%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8e6bca1...ae76b3a. Read the comment docs.

[XD-DENG]

@feng-tao , I'm not sure about this line. I remember #4118 fixed it and now permission change (adding/removing) will be persisted.

Please correct me if I'm wrong or have misunderstood something.

[jgao54]

@XD-DENG ah, the fix is for roles in ROLE_CONFIGS, which does not include admin, so @feng-tao is correct in this statement. update_admin_perm_view() will add all permissions for admin.

It's a bit restricting, but I think this is a fair restriction to make given it's admin/

[XD-DENG]

Thanks @jgao54 for clarification. But it's still not clear to me (please bear with me if I'm misunderstanding anything).

The impression I get from this paragraph was: 1. Admin can configure/alter permission for other roles (including User, Op, Viewer, and Public); 2. But doing this is not recommended given these roles (User, Op, Viewer, and Public) will be re-synchronized to original values, all changes will be gone after a short while.

Let's say I add can_dagrun_clear permission to Viewer (which was not granted to Viewer in original values). And this change will persist since #4118 merged. But the impression I get from this documentation is this change will not persist.

[jgao54]

@XD-DENG My bad, I re-read the lines and I agree with you it is confusing. In my mind I'm making up words on the fly as I read it:
"it's not recommended for admin to change its own permissions" is what I thought it suggested.

But yes, since #4118, permission change will be persisted for other roles.

[jgao54]

This is my oversight, but public behaves kinda funny currently, i recall it goes into an infinite loop until it hits a stack overflow. This should probably get fixed, but out side of the scope of this PR.

[jgao54]

would prefer not using line ranges because as we make changes to security.py it may potentially invalidate this comment pretty soon. some other ideas are
(1) hard-code the permissions in this file
(2) refer to the global variables in security.py
(3) move the default security configs out of security.py into a separate module, and refer to the entire module.

[ashb]

Or make this a doc comment and then include the code/fn doc via autoclass or similar?

[ashb]

General thoughts: Keep this in docs/security.rst -- there's already enough "items" in the menu of the docs

[jgao54]

Agree with @ashb, putting it in security.rst is fitting as the entire security module is created for RBAC.

[feng-tao]

will update the pr. thanks for review @jgao54 @ashb @XD-DENG

[feng-tao]

The doc has been moved to security.rst and modified per feedback.
PTAL @XD-DENG @jgao54 @ashb

[XD-DENG]

LGTM. Thanks @feng-tao

[feng-tao]

thanks @XD-DENG