Re: [PR] Add multi-team lookup to Azure Key Vault backend [airflow]

Thu, 23 Apr 2026 05:52:35 -0700 


vincbeck commented on code in PR #65692:
URL: https://github.com/apache/airflow/pull/65692#discussion_r3130888408


##########
providers/microsoft/azure/src/airflow/providers/microsoft/azure/secrets/key_vault.py:
##########
@@ -200,17 +207,41 @@ def build_path(path_prefix: str, secret_id: str, sep: str 
= "-") -> str:
             path = f"{path_prefix}{sep}{secret_id}"
         return path.replace("_", sep)
 
-    def _get_secret(self, path_prefix: str, secret_id: str) -> str | None:
+    def _build_team_secret_name(self, path_prefix: str, team_name: str, 
secret_id: str) -> str:
+        """Build a team-scoped secret name using a dedicated separator before 
the secret id."""
+        team_prefix = self.build_path(path_prefix, team_name, self.sep)
+        normalized_secret_id = secret_id.replace("_", self.sep)
+        return f"{team_prefix}{self.TEAM_SEP}{normalized_secret_id}"
+
+    def _is_team_specific_accessed_as_global(self, secret_id: str, team_name: 
str | None = None) -> bool:
+        normalized_secret_id = secret_id.replace("_", self.sep)
+        team_pattern = 
rf"[^{re.escape(self.sep)}]+{re.escape(self.TEAM_SEP)}.+"
+        return team_name is None and bool(re.fullmatch(team_pattern, 
normalized_secret_id))

Review Comment:
   I am trying to understand this code, can you explain? Why are you replacing 
`-` by `_`? And what is `team_pattern`?



##########
providers/microsoft/azure/src/airflow/providers/microsoft/azure/secrets/key_vault.py:
##########
@@ -200,17 +207,41 @@ def build_path(path_prefix: str, secret_id: str, sep: str 
= "-") -> str:
             path = f"{path_prefix}{sep}{secret_id}"
         return path.replace("_", sep)
 
-    def _get_secret(self, path_prefix: str, secret_id: str) -> str | None:
+    def _build_team_secret_name(self, path_prefix: str, team_name: str, 
secret_id: str) -> str:
+        """Build a team-scoped secret name using a dedicated separator before 
the secret id."""
+        team_prefix = self.build_path(path_prefix, team_name, self.sep)
+        normalized_secret_id = secret_id.replace("_", self.sep)
+        return f"{team_prefix}{self.TEAM_SEP}{normalized_secret_id}"
+
+    def _is_team_specific_accessed_as_global(self, secret_id: str, team_name: 
str | None = None) -> bool:
+        normalized_secret_id = secret_id.replace("_", self.sep)
+        team_pattern = 
rf"[^{re.escape(self.sep)}]+{re.escape(self.TEAM_SEP)}.+"
+        return team_name is None and bool(re.fullmatch(team_pattern, 
normalized_secret_id))
+
+    def _get_secret(self, path_prefix: str, secret_id: str, team_name: str | 
None = None) -> str | None:
         """
         Get an Azure Key Vault secret value.
 
         :param path_prefix: Prefix for the Path to get Secret
         :param secret_id: Secret Key
         """
+        if team_name:
+            team_secret = self._get_secret_value(
+                path_prefix, self._build_team_secret_name("", team_name, 
secret_id)

Review Comment:
   Should not it be `path_prefix` instead of `""`?



##########
providers/microsoft/azure/src/airflow/providers/microsoft/azure/secrets/key_vault.py:
##########
@@ -200,17 +207,41 @@ def build_path(path_prefix: str, secret_id: str, sep: str 
= "-") -> str:
             path = f"{path_prefix}{sep}{secret_id}"
         return path.replace("_", sep)
 
-    def _get_secret(self, path_prefix: str, secret_id: str) -> str | None:
+    def _build_team_secret_name(self, path_prefix: str, team_name: str, 
secret_id: str) -> str:
+        """Build a team-scoped secret name using a dedicated separator before 
the secret id."""
+        team_prefix = self.build_path(path_prefix, team_name, self.sep)
+        normalized_secret_id = secret_id.replace("_", self.sep)
+        return f"{team_prefix}{self.TEAM_SEP}{normalized_secret_id}"
+
+    def _is_team_specific_accessed_as_global(self, secret_id: str, team_name: 
str | None = None) -> bool:
+        normalized_secret_id = secret_id.replace("_", self.sep)
+        team_pattern = 
rf"[^{re.escape(self.sep)}]+{re.escape(self.TEAM_SEP)}.+"
+        return team_name is None and bool(re.fullmatch(team_pattern, 
normalized_secret_id))
+
+    def _get_secret(self, path_prefix: str, secret_id: str, team_name: str | 
None = None) -> str | None:
         """
         Get an Azure Key Vault secret value.
 
         :param path_prefix: Prefix for the Path to get Secret
         :param secret_id: Secret Key
         """
+        if team_name:
+            team_secret = self._get_secret_value(
+                path_prefix, self._build_team_secret_name("", team_name, 
secret_id)
+            )
+            if team_secret is not None:
+                return team_secret
+
+        return self._get_secret_value(path_prefix, secret_id)
+
+    def _get_secret_value(self, path_prefix: str, secret_id: str) -> str | 
None:
+        """Get an Azure Key Vault secret value for the given prefix and key."""
         name = self.build_path(path_prefix, secret_id, self.sep)
         try:
             secret = self.client.get_secret(name=name)
             return secret.value
         except ResourceNotFoundError as ex:
             self.log.debug("Secret %s not found: %s", name, ex)
             return None
+
+    TEAM_SEP = "--"

Review Comment:
   At the top of the file please



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to