stegololz opened a new pull request, #62715: URL: https://github.com/apache/airflow/pull/62715
Implement `_get_teams()` in `KeycloakAuthManager` to allow Airflow to discover teams defined in Keycloak when `multi_team=True`. Follow-up on https://github.com/apache/airflow/pull/62527 ## Background `BaseAuthManager._get_teams()` is called at startup when `AIRFLOW__CORE__MULTI_TEAM=True` to sync team definitions between the auth manager backend and Airflow's internal team table. Without this implementation, the API server crashes on startup when using the Keycloak auth manager in multi-tenant mode. ## Implementation Teams are stored in Keycloak as UMA (User-Managed Access) resources named `Team:{team_name}` (e.g. `Team:team-a`). The implementation: 1. Obtains a Protection API Token (PAT) via the client credentials grant — user context is not available at startup, so we authenticate as the service itself. 2. Calls the UMA Protection API (`/realms/{realm}/authz/protection/resource_set`) with `name=Team:` (prefix filter) and `deep=true` (returns full resource objects, not just IDs). 3. Strips the `Team:` prefix from each matching resource name and returns the resulting set of team names. ## Testing Unit test added for `_get_teams()`, covering: - PAT acquisition via `get_keycloak_client().token(grant_type="client_credentials")` - Correct URL and query params sent to Keycloak - Filtering of non-`Team:` resources - Correct stripping of the `Team:` prefix --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Sonnet 4.6 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
