stegololz opened a new pull request, #61256: URL: https://github.com/apache/airflow/pull/61256
### Description This PR extends the Keycloak auth manager to support multi‑team authorization as outlined in AIP‑67. In multi‑team mode, team context from request details (e.g., team_name on DAGs, connections, assets) is now used to authorize access via team‑scoped Keycloak permissions. The model is: - Team = Keycloak group, role = role within that team. - Permissions are team‑scoped (e.g., Dag:team-a#LIST), so users only see and access resources for teams they belong to. - A global admin role remains available for cross‑team administration to preserve operational workflows and backward compatibility. The CLI is updated to provision the required Keycloak objects for team mode, while remaining compatible with non‑multi‑team deployments (when --teams is not used, no team‑specific resources are created). related: #60885 --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes (Codex) Generated-by: Codex following the guidelines -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
