o-nikolas commented on code in PR #61256: URL: https://github.com/apache/airflow/pull/61256#discussion_r2756249078
########## providers/keycloak/docs/auth-manager/manage/permissions.rst: ########## @@ -73,20 +80,45 @@ This command will create resources for certain types of permissions. .. code-block:: bash - airflow keycloak-auth-manager create-resources + airflow keycloak-auth-manager create-resources --teams team-a,team-b Finally, with the command below, we create the permissions using the previously created scopes and resources. .. code-block:: bash - airflow keycloak-auth-manager create-permissions + airflow keycloak-auth-manager create-permissions --teams team-a,team-b This will create -* read-only permissions -* admin permissions -* user permissions -* operations permissions +* read-only permissions (per-team when ``--teams`` is provided) +* admin permissions (global) +* user permissions (per-team when ``--teams`` is provided) +* operations permissions (per-team when ``--teams`` is provided) + +Managing teams with Keycloak +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +When using team-scoped resources, you can create Keycloak groups that represent teams and attach them to the +team-specific permissions. The CLI provides helpers for this flow: + +.. code-block:: bash + + airflow keycloak-auth-manager create-team team-a + airflow keycloak-auth-manager add-user-to-team user-a team-a + +These commands create a Keycloak group named ``team-a``, set up team-scoped resources and permissions, +and attach team-specific policies to the permissions for that team. +When using team-scoped permissions, the recommended model is: Review Comment: Is there realistically another model that's possible we'd support? If not, then I'd use more assertive language here. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
