Raise a warning instead of an error if extra teams are defined in the auth manager#68935
Open
stephen-bracken wants to merge 1 commit into
Open
Raise a warning instead of an error if extra teams are defined in the auth manager#68935stephen-bracken wants to merge 1 commit into
stephen-bracken wants to merge 1 commit into
Conversation
stephen-bracken
force-pushed
the
soft-fail-teams
branch
8 times, most recently
from
3b3dbb0 to
bc4a7bf
Compare
stephen-bracken
force-pushed
the
soft-fail-teams
branch
from
bc4a7bf to
351a027
Compare
SameerMesiah97
approved these changes
Jun 24, 2026
SameerMesiah97
left a comment
SameerMesiah97
left a comment
Contributor
There was a problem hiding this comment.
Looks good. One thing I noticed is that the new db_teams - am_teams warning is a new validation path rather than a straight severity downgrade of the existing check.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Don't raise an error on startup if the Auth Manager has additional teams
In the case of the
KeycloakAuthManager, defining additional teams in the Auth Manager should not interact with the airflow system in a negative way, as the Auth Manager will only issue auth requests to keycloak based on access of resources. These must be mapped to teams that actually exist in the database, as they are created in Airflow.Despite this, adding additional team resources to the keycloak client will cause the api server to crash on startup until the teams are added to the database as well. This makes the system more brittle by introducing an implicit order of actions which new teams must go through to be added. (i.e. 1. add to database, 2. add to auth manager 3. add to dags)
Raising a warning at startup instead tells admins that they need to update their configuration without affecting the normal running of the api server.
Was generative AI tooling used to co-author this PR?