Keycloak CLI: provision multi‑team resources for auth manager (AIP‑67)#61256
Merged
vincbeck merged 8 commits intoapache:mainfrom Feb 19, 2026
Merged
Keycloak CLI: provision multi‑team resources for auth manager (AIP‑67)#61256vincbeck merged 8 commits intoapache:mainfrom
vincbeck merged 8 commits intoapache:mainfrom
Conversation
This was referenced Jan 30, 2026
vincbeck
reviewed
Jan 30, 2026
Contributor
vincbeck
left a comment
vincbeck
left a comment
There was a problem hiding this comment.
Thanks for working on this one. It is pretty massive. Could you split this PR in 2? One for the CLI, one for the rest? That will make the review easier.
providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py
Outdated
Show resolved
Hide resolved
providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py
Outdated
Show resolved
Hide resolved
providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py
Outdated
Show resolved
Hide resolved
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
Outdated
Show resolved
Hide resolved
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
Outdated
Show resolved
Hide resolved
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
Show resolved
Hide resolved
providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
Show resolved
Hide resolved
stegololz
force-pushed
the
feature/keycloak-auth-multiteam
branch
from
6f33e07 to
b093770
Compare
stegololz
changed the title
1 task
stegololz
changed the title
stegololz
force-pushed
the
feature/keycloak-auth-multiteam
branch
from
2bdf90b to
581e4eb
Compare
Contributor
|
Thanks @stegololz for PR! Now it make a lot of sense to split, I overlooked single commit there :) |
stegololz
force-pushed
the
feature/keycloak-auth-multiteam
branch
from
c6eb21e to
98729f9
Compare
stegololz
force-pushed
the
feature/keycloak-auth-multiteam
branch
2 times, most recently
from
d34c3b9 to
bb008c6
Compare
vincbeck
approved these changes
Feb 18, 2026
Contributor
vincbeck
left a comment
vincbeck
left a comment
There was a problem hiding this comment.
Overall LGTM. I have to admit it is kind of hard to review all that code but I could not find anything off
Contributor
|
@bugraoz93 If you could take a look as well please |
bugraoz93
approved these changes
Feb 18, 2026
Contributor
bugraoz93
left a comment
bugraoz93
left a comment
There was a problem hiding this comment.
Looks good! Thanks a lot, great work!
There is still one test failing on the PR, It would be amazing if you can solve it. We should be able to merge afterwards, otherwise this directly goes to CI teams plate :)
stegololz
force-pushed
the
feature/keycloak-auth-multiteam
branch
2 times, most recently
from
dd2f7d0 to
eb414e5
Compare
…al list permission in the cli
…enuItem enumeration
stegololz
force-pushed
the
feature/keycloak-auth-multiteam
branch
from
39043de to
1ae6d6f
Compare
Contributor
Author
|
Thanks for the reviews! Failing test have been fixed. I was not using the MenuItem Array, so resources were missing. |
Contributor
|
Error unrelated to this PR, merging |
choo121600
pushed a commit
to choo121600/airflow
that referenced
this pull request
Feb 22, 2026
apache#61256) * feat: update keycloak CLI for multiteam setup * feat: align team-scoped resources permissions with model and add global list permission in the cli * docs: refine language in permissions documentation to be more assertive * fix: update policy name format by removing redundant 'Team-' prefix * feat: add global scoped resources and update permissions to include them * reflect changes on auth_ manager on keycloak resource creation * feat: add 'Jobs' to the CLI menu options in test_commands * refactor: streamline resource names in permission creation by using MenuItem enumeration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR extends the Keycloak CLI to support multi‑team resources creation as outlined in AIP‑67. In multi‑team mode, team context from request details (e.g., team_name on DAGs, connections, assets) is now used to authorize access via team‑scoped Keycloak permissions. The model is:
Team = Keycloak group, role = role within that team.
Permissions are team‑scoped (e.g., Dag:team-a#LIST), so users only see and access resources for teams they belong to.
A global admin role remains available for cross‑team administration to preserve operational workflows and backward compatibility.
This CLI is updated to provision the required Keycloak objects for team mode, while remaining compatible with non‑multi‑team deployments (when --teams is not used, no team‑specific resources are created).
related: #60885
Was generative AI tooling used to co-author this PR?
Generated-by: Codex following the guidelines