Manage user permissions with Keycloak auth manager¶
You can set-up and manage user permissions with Keycloak auth manager in different ways:
Using Airflow CLI
Using Keycloak console
With Airflow CLI¶
Setting up the permissions can be done using CLI commands. They can create the permissions and needed resources easily.
There are two options to create the permissions:
Create all permissions (Scopes, Resources, Permissions) in one go using one CLI command
Create all permissions (Scopes, Resources, Permissions) step-by-step using the CLI commands
CLI commands take the following parameters:
--username: Keycloak admin username--password: Keycloak admin password--user-realm: Keycloak user realm--client-id: Keycloak client id (default: admin-cli)
They also take the following optional parameters:
--dry-run: If set, the command will check the connection to Keycloak and print the actions that would be performed, without actually executing them.
Please check the Keycloak auth manager CLI documentation for more information about accepted parameters.
One-go creation of permissions¶
There is a single command do all the magic for you.
This command will create scopes, resources and permissions in one-go.
airflow keycloak-auth-manager create-all
Step-by-step creation of permissions¶
First we need to create scopes for the permissions. These scopes later will be used in Keycloak authorization [1].
This command will create scopes for certain types of permissions.
airflow keycloak-auth-manager create-scopes
This command will create resources for certain types of permissions.
airflow keycloak-auth-manager create-resources
Finally, with the command below, we create the permissions using the previously created scopes and resources.
airflow keycloak-auth-manager create-permissions
This will create
read-only permissions
admin permissions
user permissions
operations permissions
More resources about permissions can be found in the official documentation of Keycloak:
1- Keycloak Authorization Process