Fix HTTP 500 on /ui/teams endpoint when using Keycloak auth manager#62471
Merged
vincbeck merged 5 commits intoFeb 25, 2026
Merged
Conversation
Add `Team` as a first-class Keycloak resource so that `GET /ui/teams`
works correctly for team members instead of returning HTTP 500.
Previously `KeycloakAuthManager.is_authorized_team()` was not implemented,
causing `NotImplementedError` from the base class on every teams request.
The fix introduces `KeycloakResource.TEAM`, wires it into `TEAM_SCOPED_RESOURCES`
and `TEAM_SCOPED_RESOURCE_NAMES`, implements the method, and adds `Team:{team}`
to the `ReadOnly-{team}` Keycloak permission so all team members receive
`Team:{team}#LIST` access.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add TeamDetails import and test cases for is_authorized_team across all existing parametrized test groups: basic status codes, error handling, multi-team scoping, and mismatched-team delegation to Keycloak. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Update expected resource_names in test assertions to include Team:team-a, which was added to TEAM_SCOPED_RESOURCE_NAMES and team_readable_resources in the previous commit. Affected assertions: - ReadOnly-team-a: ["Dag:team-a"] → ["Dag:team-a", "Team:team-a"] - Admin-team-a: add "Team:team-a" (sorted between Pool and Variable) - Admin (SuperAdmin): same Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
stegololz
marked this pull request as ready for review
February 25, 2026 13:59
TeamDetails was added in Airflow 3.2. The top-level import caused an ImportError during test collection when running against Airflow 3.0.x or 3.1.x. Move it to a try/except so the module can be collected on older versions; the test cases that use it are already guarded with @pytest.mark.skipif(not AIRFLOW_V_3_2_PLUS, ...). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
vincbeck
approved these changes
Feb 25, 2026
vincbeck
left a comment
Contributor
There was a problem hiding this comment.
Nice! You might need to tweak some tests because they can only run if Airflow is >= 3.2
…zed to have it skipped on older versions
Contributor
Author
|
Fixed the test by extracting the one about the new resource and skipping it if Airflow < 3.2 |
AkshayArali
pushed a commit
to AkshayArali/airflow_630
that referenced
this pull request
Feb 28, 2026
dominikhei
pushed a commit
to dominikhei/airflow
that referenced
this pull request
Mar 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of #62252
Summary
GET /ui/teamsreturned HTTP 500 for all users when the Keycloak authmanager was active. The base class
is_authorized_team()raisesNotImplementedErrorandKeycloakAuthManagerwas missing an override.This PR fixes the issue by introducing
Teamas a Keycloakresource and implementing the missing
is_authorized_team()method:resources.py: addTEAM = "Team"toKeycloakResourcekeycloak_auth_manager.py: addTEAMtoTEAM_SCOPED_RESOURCES,implement
is_authorized_team()delegating to the Keycloak UMA endpointcommands.py: addTeam:{team}to theReadOnly-{team}scope-basedpermission so all team members (Viewer, User, Op, Admin) receive
Team:{team}#LISTaccess; SuperAdmin gets it via the globalAdminpermission
test_keycloak_auth_manager.py: extend all existing parametrized testgroups to cover
is_authorized_teamGen-AI
This PR was developed with assistance from Claude Code (Anthropic).
All generated code has been reviewed and tested locally before submission.