Enable restricting read access

[jirik]

Currently, it's possible to restrict write permissions to publications using read everoyone, write owner authorization module.

This issue discuss what is necessary to restrict also read permissions. For Layman itself, it would be necessary.

First, we need to track user authentication and authorization for asynchronous celery tasks. For example in case of generate_map_thumbnail task it's necessary to pass authentication to timgen/hslayers, so that it can attach it to GET Map request that points back to Flask. It's not enough to store user credentials, because it can expire during long async tasks.

Probably the right way is to create some kind of per-request credentials on every incoming request, save it to redis (together with request and user information) and pass it to every async task. Be sure that app_context (g) is not shared between celery tasks on single worker. Async task then reads everything necessary from redis and it can use it for authentication of user (e.g. from timgen/hslayers). Furthermore layman.authn module should understand this kind of per-request credentials, so if such request with such credentials comes, Layman validates it in redis, reads user information from redis, and authenticates user.

Per-request credentials needs to be deleted immediately after all async tasks succeed or after any async task fails.

Second, we need to restrict access to WMS/WFS on per-layer base. Such restriction should be valid both for celery tasks (e.g. GetMap WMS request sent from timgen during generate_map_thumbnail or GetMap WMS request sent from Layman during generate_layer_thumbnail task) and for standalone WMS requests, e.g. sent from browser client.

GeoServer's HTTP header authentication filter can be used. Anyway, we need to put GeoServer behind proxy, and this proxy should exchange Layman-authentication credentials (e.g. OAuth2 HTTP headers) for GeoServer's "HTTP header" credentials.

Also it's probably necessary to register user on GeoServer first time it's authenticated in Layman even before PATCH User (because users without username are able to send requests), together with role, so that GeoServer's "HTTP header" can understand who this user is. How will be named user without username???

Third, to enable per-layer read restrictions, we need to store per-layer access permissons somewhere. GeoServer's User-Group service, Role service, and Layer Security system should be used, as GeoServer already understands it (so it does e.g. layer filtering in WMS GetCapabilities out-of-the-box).

It means to be able to set access permissions on POST Layers/Maps and PATCH Layer/Map, save it to GeoServer, and respect it on GeoServer and Layman.

Storing per-layer access permissons on GeoServer and respecting it on Layman and GeoServer will also enable per-layer write permissions.