Skip to content

Handle missing Keycloak resources as access denied#68951

Merged
vincbeck merged 3 commits into
apache:mainfrom
onlyarnav:keylcloak-error-on-teams-not-defined
Jun 25, 2026
Merged

Handle missing Keycloak resources as access denied#68951
vincbeck merged 3 commits into
apache:mainfrom
onlyarnav:keylcloak-error-on-teams-not-defined

Conversation

@onlyarnav

@onlyarnav onlyarnav commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Fix Keycloak auth manager handling for missing team-scoped Dag resources.

When Keycloak returns a 500 resource not found response for a missing authorization resource, the Keycloak auth manager now treats that check as denied access and logs a warning instead of raising an exception. This prevents one missing team resource from breaking the /dags and home screens for every user.

Added coverage for:

  • Missing Keycloak authorization resources returning False.
  • Dag filtering continuing to return authorized Dags when one team-scoped Keycloak resource is missing.
Was generative AI tooling used to co-author this PR?
  • Yes — Claude Code (Opus 4.8)

SameerMesiah97
SameerMesiah97 reviewed Jun 24, 2026
View reviewed changes

@SameerMesiah97 SameerMesiah97 left a comment
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one nit. Also, can you reproduce this issue or is it theoretical?

Comment thread providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py
@potiuk potiuk added the ready for maintainer review Set after triaging when all criteria pass. label Jun 25, 2026
@vincbeck vincbeck merged commit b411423 into apache:main Jun 25, 2026
77 checks passed
@boring-cyborg

boring-cyborg Bot commented Jun 25, 2026

Copy link
Copy Markdown

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.

@onlyarnav onlyarnav deleted the keylcloak-error-on-teams-not-defined branch June 25, 2026 19:46
@eladkal eladkal linked an issue Jun 26, 2026 that may be closed by this pull request
Multi team: keycloak returns 500 error on /dags screen when teams are not defined in the keycloak client #68943
Closed
2 tasks
@eladkal eladkal mentioned this pull request Jun 26, 2026
Closed
2 tasks
@shahar1 shahar1 mentioned this pull request Jun 26, 2026
Merged
1 task
@stephen-bracken stephen-bracken mentioned this pull request Jun 26, 2026
Open
2 tasks
shahar1 added a commit to shahar1/airflow that referenced this pull request Jun 26, 2026
@shahar1
Prepare ad-hoc provider documentation 2026-06-26
81cc1e1 
cncf.kubernetes (10.18.1) and apache.spark (6.2.0) were excluded from the
2026-06-16 wave after binding -1 votes; their blockers are now resolved, so
re-cut the same versions with the fixes folded in. fab and keycloak need
corrective patch releases (3.7.1, 0.8.1) after the airflowctl CLI client
integration was reverted from core (apache#68856) and a Keycloak access-denied
bug fix (apache#68951). celery (3.21.0) adds a Python 3.14 worker start-method
config (apache#69015), and google (22.2.1) ships the GKE 401 fix for kubernetes
client 36.x (apache#69032).
shahar1 added a commit to shahar1/airflow that referenced this pull request Jun 26, 2026
@shahar1
Prepare ad-hoc provider documentation 2026-06-26
c7bcb8d 
cncf.kubernetes (10.18.1) and apache.spark (6.2.0) were excluded from the
2026-06-16 wave after binding -1 votes; their blockers are now resolved, so
re-cut the same versions with the fixes folded in. fab and keycloak need
corrective patch releases (3.7.1, 0.8.1) after the airflowctl CLI client
integration was reverted from core (apache#68856) and a Keycloak access-denied
bug fix (apache#68951). celery (3.21.0) adds a Python 3.14 worker start-method
config (apache#69015), and google (22.2.1) ships the GKE 401 fix for kubernetes
client 36.x (apache#69032).
shahar1 added a commit that referenced this pull request Jun 26, 2026
@shahar1
Prepare ad-hoc provider documentation 2026-06-26 (#69022)
4e2f5d4 
cncf.kubernetes (10.18.1) and apache.spark (6.2.0) were excluded from the
2026-06-16 wave after binding -1 votes; their blockers are now resolved, so
re-cut the same versions with the fixes folded in. fab and keycloak need
corrective patch releases (3.7.1, 0.8.1) after the airflowctl CLI client
integration was reverted from core (#68856) and a Keycloak access-denied
bug fix (#68951). celery (3.21.0) adds a Python 3.14 worker start-method
config (#69015), and google (22.2.1) ships the GKE 401 fix for kubernetes
client 36.x (#69032).
@shahar1 shahar1 mentioned this pull request Jun 26, 2026
Open
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vincbeck vincbeck vincbeck approved these changes
@bugraoz93 bugraoz93 Awaiting requested review from bugraoz93 bugraoz93 is a code owner
+1 more reviewer
@SameerMesiah97 SameerMesiah97 SameerMesiah97 left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area:providers provider:keycloak ready for maintainer review Set after triaging when all criteria pass.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Multi team: keycloak returns 500 error on /dags screen when teams are not defined in the keycloak client

4 participants

@onlyarnav @SameerMesiah97 @vincbeck @potiuk