Re: [PR] Keycloak auth manager: enforce team‑scoped authorization (AIP‑67) [airflow]

Thu, 05 Feb 2026 08:30:21 -0800 


vincbeck commented on code in PR #61351:
URL: https://github.com/apache/airflow/pull/61351#discussion_r2770046592


##########
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py:
##########
@@ -367,9 +390,24 @@ def _is_authorized(
         elif method == "GET":
             method = "LIST"
 
+        is_multi_team = conf.getboolean("core", "multi_team", fallback=False)

Review Comment:
   `is_multi_team and team_name` should not happen so I would rather raise an 
error in such case



##########
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py:
##########
@@ -424,6 +462,20 @@ def _get_token_url(server_url, realm):
         # Normalize server_url to avoid double slashes (required for Keycloak 
26.4+ strict path validation).
         return 
f"{server_url.rstrip('/')}/realms/{realm}/protocol/openid-connect/token"
 
+    @staticmethod
+    def _get_resource_name(resource_type: KeycloakResource, team_name: str | 
None) -> str | None:
+        if not conf.getboolean("core", "multi_team", fallback=False):
+            return resource_type.value
+
+        if resource_type in TEAM_SCOPED_RESOURCES:
+            return f"{resource_type.value}:{team_name}" if team_name else None
+
+        return resource_type.value

Review Comment:
   ```suggestion
           if not conf.getboolean("core", "multi_team", fallback=False) or 
resource_type not in TEAM_SCOPED_RESOURCES:
               return resource_type.value
           else:
               return f"{resource_type.value}:{team_name}" if team_name else 
None
   ```



##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -366,13 +409,30 @@ def test_is_authorized_invalid_request(self, function, 
auth_manager, user):
                 "Dag#GET",
                 {RESOURCE_ID_ATTRIBUTE_NAME: "test", "dag_entity": 
"TASK_INSTANCE"},
             ],
+            [
+                "GET",
+                DagAccessEntity.TASK_INSTANCE,
+                DagDetails(id="test", team_name="team-a"),

Review Comment:
   Why the team does not appear in the resource?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to