Skip to content

Add LIST scope in Keycloak auth manager #54998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vincbeck merged 1 commit into from
Aug 28, 2025
Merged

Add LIST scope in Keycloak auth manager #54998

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ def _get_client_uuid(args):

def _create_scopes(client: KeycloakAdmin, client_uuid: str):
scopes = [{"name": method} for method in get_args(ResourceMethod)]
scopes.append({"name": "MENU"})
scopes.extend([{"name": "MENU"}, {"name": "LIST"}])
for scope in scopes:
client.create_client_authz_scopes(client_id=client_uuid, payload=scope)

Expand All @@ -126,7 +126,7 @@ def _create_resources(client: KeycloakAdmin, client_uuid: str):
scopes = [
{"id": scope["id"], "name": scope["name"]}
for scope in all_scopes
if scope["name"] in ["GET", "POST", "PUT", "DELETE"]
if scope["name"] in ["GET", "POST", "PUT", "DELETE", "LIST"]
]

for resource in KeycloakResource:
Expand Down Expand Up @@ -166,7 +166,7 @@ def _create_permissions(client: KeycloakAdmin, client_uuid: str):

def _create_read_only_permission(client: KeycloakAdmin, client_uuid: str):
all_scopes = client.get_client_authz_scopes(client_uuid)
scopes = [scope["id"] for scope in all_scopes if scope["name"] in ["GET", "MENU"]]
scopes = [scope["id"] for scope in all_scopes if scope["name"] in ["GET", "MENU", "LIST"]]
payload = {
"name": "ReadOnly",
"type": "scope",
Expand Down
2 changes: 2 additions & 0 deletions providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,8 @@ def _is_authorized(
context_attributes = prune_dict(attributes or {})
if resource_id:
context_attributes[RESOURCE_ID_ATTRIBUTE_NAME] = resource_id
elif method == "GET":
method = "LIST"

resp = requests.post(
self._get_token_url(server_url, realm),
Expand Down
18 changes: 9 additions & 9 deletions providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ def test_get_url_login(self, auth_manager):
"Configuration#GET",
{RESOURCE_ID_ATTRIBUTE_NAME: "test"},
],
["is_authorized_configuration", "GET", None, "Configuration#GET", None],
["is_authorized_configuration", "GET", None, "Configuration#LIST", None],
[
"is_authorized_configuration",
"PUT",
Expand All @@ -127,47 +127,47 @@ def test_get_url_login(self, auth_manager):
"Connection#DELETE",
{RESOURCE_ID_ATTRIBUTE_NAME: "test"},
],
["is_authorized_connection", "GET", None, "Connection#GET", {}],
["is_authorized_connection", "GET", None, "Connection#LIST", {}],
[
"is_authorized_backfill",
"POST",
BackfillDetails(id=1),
"Backfill#POST",
{RESOURCE_ID_ATTRIBUTE_NAME: "1"},
],
["is_authorized_backfill", "GET", None, "Backfill#GET", {}],
["is_authorized_backfill", "GET", None, "Backfill#LIST", {}],
[
"is_authorized_asset",
"GET",
AssetDetails(id="test"),
"Asset#GET",
{RESOURCE_ID_ATTRIBUTE_NAME: "test"},
],
["is_authorized_asset", "GET", None, "Asset#GET", {}],
["is_authorized_asset", "GET", None, "Asset#LIST", {}],
[
"is_authorized_asset_alias",
"GET",
AssetAliasDetails(id="test"),
"AssetAlias#GET",
{RESOURCE_ID_ATTRIBUTE_NAME: "test"},
],
["is_authorized_asset_alias", "GET", None, "AssetAlias#GET", {}],
["is_authorized_asset_alias", "GET", None, "AssetAlias#LIST", {}],
[
"is_authorized_variable",
"PUT",
VariableDetails(key="test"),
"Variable#PUT",
{RESOURCE_ID_ATTRIBUTE_NAME: "test"},
],
["is_authorized_variable", "GET", None, "Variable#GET", {}],
["is_authorized_variable", "GET", None, "Variable#LIST", {}],
[
"is_authorized_pool",
"POST",
PoolDetails(name="test"),
"Pool#POST",
{RESOURCE_ID_ATTRIBUTE_NAME: "test"},
],
["is_authorized_pool", "GET", None, "Pool#GET", {}],
["is_authorized_pool", "GET", None, "Pool#LIST", {}],
],
)
@pytest.mark.parametrize(
Expand Down Expand Up @@ -257,7 +257,7 @@ def test_is_authorized_invalid_request(self, mock_requests, function, auth_manag
"GET",
None,
None,
"Dag#GET",
"Dag#LIST",
{},
],
[
Expand All @@ -278,7 +278,7 @@ def test_is_authorized_invalid_request(self, mock_requests, function, auth_manag
"GET",
DagAccessEntity.TASK_INSTANCE,
None,
"Dag#GET",
"Dag#LIST",
{"dag_entity": "TASK_INSTANCE"},
],
],
Expand Down
Loading