Re: [PR] feature: Allow batch filtering for dags using Keycloak provider [airflow]

Wed, 12 Nov 2025 01:44:54 -0800 


github-advanced-security[bot] commented on code in PR #56433:
URL: https://github.com/apache/airflow/pull/56433#discussion_r2517584011


##########
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py:
##########
@@ -170,6 +190,53 @@
             attributes={"dag_entity": access_entity_str},
         )
 
+    def filter_authorized_dag_ids(
+        self,
+        *,
+        dag_ids: set[str],
+        user: KeycloakAuthManagerUser,
+        method: ResourceMethod = "GET",
+        team_name: str | None = None,
+    ) -> set[str]:
+        method_value = cast("ExtendedResourceMethod", method)
+        if not dag_ids:
+            return set()
+
+        attributes: ContextAttributes = {
+            DAG_IDS_ATTRIBUTE_NAME: 
DAG_IDS_ATTRIBUTE_SEPARATOR.join(sorted(dag_ids)),
+        }
+        if team_name:
+            attributes["team_name"] = team_name
+        allowed_dags = resolve_allowed_dags(user.get_id(), team_name)
+        attributes["allowed_dags"] = 
DAG_IDS_ATTRIBUTE_SEPARATOR.join(sorted(allowed_dags or []))
+
+        if log.isEnabledFor(logging.INFO):
+            log.info(
+                "Keycloak DAG visibility request user=%s team=%s count=%d 
sample=[%s]",
+                user.get_id(),
+                team_name or "-",
+                len(dag_ids),
+                _summarize(dag_ids),
+            )
+
+        permissions = self._is_batch_authorized(
+            permissions=[(method_value, KeycloakResource.DAG.value)],
+            user=user,
+            attributes=attributes,
+        )
+        authorized = self._extract_authorized_dag_ids(permissions, dag_ids)
+
+        if log.isEnabledFor(logging.INFO):
+            log.info(
+                "Keycloak DAG visibility grant user=%s team=%s count=%d 
sample=[%s]",
+                user.get_id(),
+                team_name or "-",
+                len(authorized),
+                _summarize(authorized),

Review Comment:
   ## Clear-text logging of sensitive information
   
   This expression logs [sensitive data (secret)](1) as clear text.
   This expression logs [sensitive data (secret)](2) as clear text.
   
   [Show more 
details](https://github.com/apache/airflow/security/code-scanning/550)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to