Skip to content

Fix Keycloak default role policy wiring#67031

Merged
vincbeck merged 1 commit into
apache:mainfrom
anmolxlight:fix/67027-keycloak-api-auth
May 19, 2026
Merged

Fix Keycloak default role policy wiring#67031
vincbeck merged 1 commit into
apache:mainfrom
anmolxlight:fix/67027-keycloak-api-auth

Conversation

@anmolxlight

Copy link
Copy Markdown
Contributor

closes: #67027

What

  • Ensures non-team Keycloak role policies are created when running keycloak-auth-manager create-permissions or create-all.
  • Attaches default Allow-* role policies to the generated global permissions.
  • Adds a regression test covering the default/non-team authorization setup.

Why

In the default non-team setup, the CLI created Keycloak resources and permissions but did not wire role policies to those permissions. Users with Admin or SuperAdmin could authenticate successfully, but Keycloak UMA authorization for Airflow API resources evaluated to denied, causing API calls such as DAG list requests to return 403.

Tests

  • uv run --project providers/keycloak pytest providers/keycloak/tests/unit/keycloak/auth_manager -q
  • uv run ruff check providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py providers/keycloak/tests/unit/keycloak/auth_manager/cli/test_commands.py
  • uv run ruff format --check providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/commands.py providers/keycloak/tests/unit/keycloak/auth_manager/cli/test_commands.py

@potiuk potiuk added the ready for maintainer review Set after triaging when all criteria pass. label May 18, 2026
@vincbeck
vincbeck merged commit d63b5e9 into apache:main May 19, 2026
90 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug] KeycloakAuthManager returns 403 Forbidden on /api/v1/dags endpoints in Airflow 3.0 despite valid SuperAdmin roles

3 participants