Re: [I] Very slow Keycloak auth manager responses [airflow]

Fri, 13 Feb 2026 02:23:01 -0800 


ecodina commented on issue #61686:
URL: https://github.com/apache/airflow/issues/61686#issuecomment-3896341536

   This was blocking us to migrate our prod instance to Airflow 3, so if anyone 
reaches this issue, you can create this workaround (although you loose the nice 
authorization functionality of Keycloak):
   
   Create your own Auth Manager that bases `KeycloakAuthManager` and 
re-implement the `_is_authorized` method. In there you can put your own logic 
(if feasible) to authorize. In our case, we use roles, and we decided of these 
auth rules:
   
   ```python
   class CustomAuthManager(KeycloakAuthManager):
       def _is_authorized(
           self,
           *,
           method: ResourceMethod | str,
           resource_type: KeycloakResource,
           user: KeycloakAuthManagerUser,
           resource_id: str | None = None,
           attributes: dict[str, str | None] | None = None,
       ):
           token = jwt.decode(user.access_token, options={"verify_signature": 
False})
           roles = token.get("resource_access", {}).get("airflow", 
{}).get("roles", [])
   
           if "airflow_admin" in roles:
               return True
   
           if "airflow_op" in roles:
               if resource_type in (KeycloakResource.CONFIGURATION,):
                   return False
               if resource_type == KeycloakResource.VIEW and resource_id in 
("PROVIDERS",):
                   return False
   
               return True
   
           if "airflow_viewer" in roles:
               if not method.lower() in ("get", "head", "options", "list", 
"menu"):
                   return False
               if resource_type not in (
                   KeycloakResource.DAG,
                   KeycloakResource.VIEW,
                   KeycloakResource.MENU,
               ):
                   return False
               if resource_type == KeycloakResource.VIEW and resource_id not in 
(
                   "CLUSTER_ACTIVITY",
                   "DOCS",
                   "IMPORT_ERRORS",
                   "WEBSITE",
               ):
                   return False
               if resource_type == KeycloakResource.DAG:
                   dag_entity = attributes.get("dag_entity") if attributes else 
None
                   if dag_entity and dag_entity in ("AUDIT_LOG",):
                       return False
   
               return True
   
           return False
   ```
   
   This is just a work-around. The real fix comes with implementing the 
`filter` and `batch` functions which I tried to do this week but couldn't 
figure it out.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to