airflow.providers.keycloak.auth_manager.keycloak_auth_manager¶

Attributes¶

`log`
`RESOURCE_ID_ATTRIBUTE_NAME`

Classes¶

KeycloakAuthManager

Keycloak auth manager.

Module Contents¶

airflow.providers.keycloak.auth_manager.keycloak_auth_manager.log[source]¶

airflow.providers.keycloak.auth_manager.keycloak_auth_manager.RESOURCE_ID_ATTRIBUTE_NAME = 'resource_id'[source]¶

class airflow.providers.keycloak.auth_manager.keycloak_auth_manager.KeycloakAuthManager(context=None)[source]¶

Bases: airflow.api_fastapi.auth.managers.base_auth_manager.BaseAuthManager[airflow.providers.keycloak.auth_manager.user.KeycloakAuthManagerUser]

Keycloak auth manager.

Leverages Keycloak to perform authentication and authorization in Airflow.

deserialize_user(token)[source]¶

Create a user object from dict.

serialize_user(user)[source]¶

Create a subject and extra claims dict from a user object.

get_url_login(**kwargs)[source]¶

Return the login page url.

get_url_refresh()[source]¶

Return the URL to refresh the authentication token.

This is used to refresh the authentication token when it expires. The default implementation returns None, which means that the auth manager does not support refresh token.

is_authorized_configuration(*, method, user, details=None)[source]¶

Return whether the user is authorized to perform a given action on configuration.

Parameters:

method (airflow.api_fastapi.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.keycloak.auth_manager.user.KeycloakAuthManagerUser) – the user to performing the action
details (airflow.api_fastapi.auth.managers.models.resource_details.ConfigurationDetails | None) – optional details about the configuration

is_authorized_connection(*, method, user, details=None)[source]¶

Return whether the user is authorized to perform a given action on a connection.

Parameters:

method (airflow.api_fastapi.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.keycloak.auth_manager.user.KeycloakAuthManagerUser) – the user to performing the action
details (airflow.api_fastapi.auth.managers.models.resource_details.ConnectionDetails | None) – optional details about the connection

is_authorized_dag(*, method, user, access_entity=None, details=None)[source]¶

Return whether the user is authorized to perform a given action on a DAG.

Parameters:

method (airflow.api_fastapi.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.keycloak.auth_manager.user.KeycloakAuthManagerUser) – the user to performing the action
access_entity (airflow.api_fastapi.auth.managers.models.resource_details.DagAccessEntity | None) – the kind of DAG information the authorization request is about. If not provided, the authorization request is about the DAG itself
details (airflow.api_fastapi.auth.managers.models.resource_details.DagDetails | None) – optional details about the DAG

is_authorized_backfill(*, method, user, details=None)[source]¶

Return whether the user is authorized to perform a given action on a backfill.

Parameters:

method (airflow.api_fastapi.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.keycloak.auth_manager.user.KeycloakAuthManagerUser) – the user to performing the action
details (airflow.api_fastapi.auth.managers.models.resource_details.BackfillDetails | None) – optional details about the backfill

is_authorized_asset(*, method, user, details=None)[source]¶

Return whether the user is authorized to perform a given action on an asset.

Parameters:

method (airflow.api_fastapi.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.keycloak.auth_manager.user.KeycloakAuthManagerUser) – the user to performing the action
details (airflow.api_fastapi.auth.managers.models.resource_details.AssetDetails | None) – optional details about the asset

is_authorized_asset_alias(*, method, user, details=None)[source]¶

Return whether the user is authorized to perform a given action on an asset alias.

Parameters:

method (airflow.api_fastapi.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.keycloak.auth_manager.user.KeycloakAuthManagerUser) – the user to perform the action on
details (airflow.api_fastapi.auth.managers.models.resource_details.AssetAliasDetails | None) – optional details about the asset alias

is_authorized_variable(*, method, user, details=None)[source]¶

Return whether the user is authorized to perform a given action on a variable.

Parameters:

method (airflow.api_fastapi.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.keycloak.auth_manager.user.KeycloakAuthManagerUser) – the user to performing the action
details (airflow.api_fastapi.auth.managers.models.resource_details.VariableDetails | None) – optional details about the variable

is_authorized_pool(*, method, user, details=None)[source]¶

Return whether the user is authorized to perform a given action on a pool.

Parameters:

method (airflow.api_fastapi.auth.managers.base_auth_manager.ResourceMethod) – the method to perform
user (airflow.providers.keycloak.auth_manager.user.KeycloakAuthManagerUser) – the user to performing the action
details (airflow.api_fastapi.auth.managers.models.resource_details.PoolDetails | None) – optional details about the pool

is_authorized_view(*, access_view, user)[source]¶

Return whether the user is authorized to access a read-only state of the installation.

Parameters:

access_view (airflow.api_fastapi.auth.managers.models.resource_details.AccessView) – the specific read-only view/state the authorization request is about.
user (airflow.providers.keycloak.auth_manager.user.KeycloakAuthManagerUser) – the user to performing the action

is_authorized_custom_view(*, method, resource_name, user)[source]¶

Return whether the user is authorized to perform a given action on a custom view.

A custom view can be a view defined as part of the auth manager. This view is then only available when the auth manager is used as part of the environment. It can also be a view defined as part of a plugin defined by a user.

Parameters:

method (airflow.api_fastapi.auth.managers.base_auth_manager.ResourceMethod | str) – the method to perform. The method can also be a string if the action has been defined in a plugin. In that case, the action can be anything (e.g. can_do). See https://github.com/apache/airflow/issues/39144
resource_name (str) – the name of the resource
user (airflow.providers.keycloak.auth_manager.user.KeycloakAuthManagerUser) – the user to performing the action

filter_authorized_menu_items(menu_items, *, user)[source]¶

Filter menu items based on user permissions.

Parameters:

menu_items (list[airflow.api_fastapi.common.types.MenuItem]) – list of all menu items
user (airflow.providers.keycloak.auth_manager.user.KeycloakAuthManagerUser) – the user

get_fastapi_app()[source]¶

Specify a sub FastAPI application specific to the auth manager.

This sub application, if specified, is mounted in the main FastAPI application.

static get_cli_commands()[source]¶

Vends CLI commands to be included in Airflow CLI.

static get_keycloak_client()[source]¶