Skip to content

Add LIST scope in Keycloak auth manager #54998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vincbeck merged 1 commit into from
Aug 28, 2025
Merged

Add LIST scope in Keycloak auth manager #54998

vincbeck merged 1 commit into from
Aug 28, 2025

Conversation

@vincbeck
Copy link
Contributor

@vincbeck vincbeck commented Aug 27, 2025

Similar of #54987 and #54926 but for Keycloak auth manager.

The current logic to list resources (e.g. list Dags) is a bit wrong in auth managers. Let's take an example. If a user is authorized to access only the Dag test, with the Keycloak auth manager today, the list Dags API returns access denied because we are checking whether the user has access to all Dags.

To fix that, I introduce a new action LIST so that admins can easily give LIST access to all Dags but GET access only on few Dags.

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@vincbeck vincbeck requested a review from bugraoz93 as a code owner August 27, 2025 21:21
@vincbeck vincbeck force-pushed the vincbeck/keycloak_am_list branch from 01fb738 to cd25458 Compare August 27, 2025 21:25
bugraoz93
bugraoz93 approved these changes Aug 28, 2025
View reviewed changes
Copy link
Contributor

@bugraoz93 bugraoz93 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great addition to eliminate ambiguity! Amazing effort on all those PRs!

@vincbeck vincbeck merged commit b79b7f4 into apache:main Aug 28, 2025
73 checks passed
@vincbeck vincbeck deleted the vincbeck/keycloak_am_list branch August 28, 2025 12:33
mangal-vairalkar pushed a commit to mangal-vairalkar/airflow that referenced this pull request Aug 30, 2025
@vincbeck @mangal-vairalkar
Add LIST scope in Keycloak auth manager (apache#54998)
3142155
nothingmin pushed a commit to nothingmin/airflow that referenced this pull request Sep 2, 2025
@vincbeck @nothingmin
Add LIST scope in Keycloak auth manager (apache#54998)
b04295a
@eladkal eladkal mentioned this pull request Sep 5, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bugraoz93 bugraoz93 bugraoz93 approved these changes

Assignees

No one assigned

Labels

area:providers provider:keycloak

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vincbeck @bugraoz93