stegololz opened a new pull request, #61351: URL: https://github.com/apache/airflow/pull/61351
**Description** This PR updates the Keycloak auth manager to enforce multi‑team authorization as outlined in AIP‑67. When core.multi_team is enabled, team context (e.g., team_name from DAGs, connections, assets) is now used to build team‑scoped permission checks so users can only list and access resources for their teams. The authorization flow also supports users in multiple teams by evaluating team‑scoped permissions consistently for list and non‑list requests, while preserving backward compatibility for non‑multi‑team deployments. This is the auth‑manager part of the split. The CLI provisioning changes are in the companion PR: [61256](https://github.com/apache/airflow/pull/61256) related issue: #60885 Open Questions: - Scope alignment: the first review raised questions about which resources should be team‑scoped and whether that should align strictly with [resource_details.py](https://github.com/apache/airflow/blob/main/airflow-core/src/airflow/api_fastapi/auth/managers/models/resource_details.py). I’m still validating the intended model and would welcome guidance on the correct scope. Was generative AI tooling used to co-author this PR? - [X] Yes (Codex) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
