stegololz commented on code in PR #61256:
URL: https://github.com/apache/airflow/pull/61256#discussion_r2749386140
##########
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py:
##########
@@ -358,26 +397,51 @@ def _is_authorized(
elif method == "GET":
method = "LIST"
- resp = self.http_session.post(
- self._get_token_url(server_url, realm),
- data=self._get_payload(client_id,
f"{resource_type.value}#{method}", context_attributes),
- headers=self._get_headers(user.access_token),
- timeout=5,
- )
+ if (
Review Comment:
When we have a LIST request in a multi-tenant environment, team_name can be
missing for endpoints that do not provide a team.
- If team_name is missing and the resource is team‑scoped, we fall back to
the user’s team memberships (from the token) and try Resource:<team>#LIST for
each team.
- If any team grants LIST, we allow the list call.
I had issues on this only with LIST while testing not with resource specific
requests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
