Andrushika commented on issue #69041:
URL: https://github.com/apache/airflow/issues/69041#issuecomment-4812642424

   I took a quick look at the Keycloak auth manager path and I could reproduce 
the lower-level behavior behind this.
   
   `KeycloakAuthManager.filter_authorized_dag_ids()` wraps the result with 
cache/single-flight, but on cache miss it falls back to the base auth manager 
implementation. That base implementation checks each Dag id individually, so 
Keycloak ends up sending one authorization HTTP request per Dag id in that 
filter call.
   
   I verified this locally with a small unit test: 25 Dag ids + mocked 
`http_session.post` resulted in 25 POST calls, each with a different 
`resource_id` claim.
   
   I have not reproduced the full 10s `/dags` page load, but this per-Dag 
request pattern seems consistent with the reported slowdown when Keycloak calls 
have non-trivial latency.
   
   AWS auth manager seems to avoid this by batching authorization checks in 
`filter_authorized_dag_ids()`. Would a similar batch path make sense for 
Keycloak?
   
   BTW, this may also need `area:providers` / `provider:keycloak` labels.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to