Skip to content

Fix HTTP 500 on /ui/teams endpoint when using Keycloak auth manager#62471

Merged
vincbeck merged 5 commits into
apache:mainfrom
stegololz:feat/keycloak-team-resource-authorization
Feb 25, 2026
Merged

Fix HTTP 500 on /ui/teams endpoint when using Keycloak auth manager#62471
vincbeck merged 5 commits into
apache:mainfrom
stegololz:feat/keycloak-team-resource-authorization

Conversation

@stegololz

Copy link
Copy Markdown
Contributor

Part of #62252

Summary

GET /ui/teams returned HTTP 500 for all users when the Keycloak auth
manager was active. The base class is_authorized_team() raises
NotImplementedError and KeycloakAuthManager was missing an override.

This PR fixes the issue by introducing Team as a Keycloak
resource and implementing the missing is_authorized_team() method:

  • resources.py: add TEAM = "Team" to KeycloakResource
  • keycloak_auth_manager.py: add TEAM to TEAM_SCOPED_RESOURCES,
    implement is_authorized_team() delegating to the Keycloak UMA endpoint
  • commands.py: add Team:{team} to the ReadOnly-{team} scope-based
    permission so all team members (Viewer, User, Op, Admin) receive
    Team:{team}#LIST access; SuperAdmin gets it via the global Admin
    permission
  • test_keycloak_auth_manager.py: extend all existing parametrized test
    groups to cover is_authorized_team

Gen-AI

This PR was developed with assistance from Claude Code (Anthropic).
All generated code has been reviewed and tested locally before submission.

stegololz and others added 2 commits February 25, 2026 14:10
Add `Team` as a first-class Keycloak resource so that `GET /ui/teams`
works correctly for team members instead of returning HTTP 500.

Previously `KeycloakAuthManager.is_authorized_team()` was not implemented,
causing `NotImplementedError` from the base class on every teams request.
The fix introduces `KeycloakResource.TEAM`, wires it into `TEAM_SCOPED_RESOURCES`
and `TEAM_SCOPED_RESOURCE_NAMES`, implements the method, and adds `Team:{team}`
to the `ReadOnly-{team}` Keycloak permission so all team members receive
`Team:{team}#LIST` access.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add TeamDetails import and test cases for is_authorized_team across all
existing parametrized test groups: basic status codes, error handling,
multi-team scoping, and mismatched-team delegation to Keycloak.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Update expected resource_names in test assertions to include
Team:team-a, which was added to TEAM_SCOPED_RESOURCE_NAMES and
team_readable_resources in the previous commit.

Affected assertions:
- ReadOnly-team-a: ["Dag:team-a"] → ["Dag:team-a", "Team:team-a"]
- Admin-team-a: add "Team:team-a" (sorted between Pool and Variable)
- Admin (SuperAdmin): same

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@stegololz
stegololz marked this pull request as ready for review February 25, 2026 13:59
TeamDetails was added in Airflow 3.2. The top-level import caused
an ImportError during test collection when running against Airflow
3.0.x or 3.1.x. Move it to a try/except so the module can be
collected on older versions; the test cases that use it are already
guarded with @pytest.mark.skipif(not AIRFLOW_V_3_2_PLUS, ...).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

@vincbeck vincbeck left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! You might need to tweak some tests because they can only run if Airflow is >= 3.2

@stegololz

Copy link
Copy Markdown
Contributor Author

Fixed the test by extracting the one about the new resource and skipping it if Airflow < 3.2

@vincbeck
vincbeck merged commit 0fb6385 into apache:main Feb 25, 2026
86 checks passed
AkshayArali pushed a commit to AkshayArali/airflow_630 that referenced this pull request Feb 28, 2026
@stegololz
stegololz deleted the feat/keycloak-team-resource-authorization branch March 6, 2026 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants