vincbeck commented on code in PR #61351:
URL: https://github.com/apache/airflow/pull/61351#discussion_r2800167276
##########
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py:
##########
@@ -368,9 +396,24 @@ def _is_authorized(
elif method == "GET":
method = "LIST"
+ is_multi_team = conf.getboolean("core", "multi_team", fallback=False)
+ is_team_scoped = resource_type in TEAM_SCOPED_RESOURCES
+ is_teamless = team_name is None
+
+ # Team-scoped resources require a team, except for LIST which uses
global permission.
+ if is_multi_team and is_team_scoped and is_teamless and method !=
"LIST":
+ raise ValueError("Missing team_name for team-scoped resource in
multi-team mode.")
Review Comment:
Which should simplify the overall logic here, to me, we should only check
whether `team_name` is provided, and if so, add it to the resource name like
you did
##########
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py:
##########
@@ -368,9 +396,24 @@ def _is_authorized(
elif method == "GET":
method = "LIST"
+ is_multi_team = conf.getboolean("core", "multi_team", fallback=False)
+ is_team_scoped = resource_type in TEAM_SCOPED_RESOURCES
+ is_teamless = team_name is None
+
+ # Team-scoped resources require a team, except for LIST which uses
global permission.
+ if is_multi_team and is_team_scoped and is_teamless and method !=
"LIST":
+ raise ValueError("Missing team_name for team-scoped resource in
multi-team mode.")
Review Comment:
We should not do that. In a multi-team environment, Dags, Connections,
Variables, Pools can also be global. They must not belong to a team
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
