Multi team: keycloak returns 500 error on /dags screen when teams are not defined in the keycloak client

[stephen-bracken]

Under which category would you file this issue?

Providers

Apache Airflow version

3.2.1

What happened and how to reproduce it?

When dag bundles are assigned to teams that are not defined in the keycloak client resources keycloak returns a 500 resource not found: Dag:myteam response on the /dags and / (home) screens. This is because the auth manager sends a request to keycloak to verify access to each dag by checking the resources.

airflow/providers/keycloak/src/airflow/providers/keycloak/auth_manager/keycloak_auth_manager.py

Line 439 in 4aafb95

def filter_authorized_dag_ids(

What you think should happen instead?

The KeycloakAuthManager or BaseAuthManager should gracefully handle 500 errors from keycloak due to missing resources for teams, and log them. This is important because if a team is added to airflow but not keycloak, all other teams will lose access to the /dags screen due to the 500 error response.

Operating System

Debian GNU/Linux 12 (bookworm)

Deployment

Other Docker-based deployment

Apache Airflow Provider(s)

keycloak

Versions of Apache Airflow Providers

apache-airflow-providers-keycloak==0.7.1

Official Helm Chart version

Not Applicable

Kubernetes Version

1.33.5

Helm Chart configuration

No response

Docker Image customizations

Some additional pip / apt packages

Anything else?

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[eladkal]

cc @vincbeck

[onlyarnav]

Hi, I have submitted a PR regarding the issue. Could you please verify if that fixes the issue and its good or it still required attention.

[eladkal]

Solved in #68951

[stephen-bracken]

@onlyarnav thanks for working on this. I've raised #69028 to update the error message from keycloak