From f4361bca0f27ab006442d714d1809babc3387c04 Mon Sep 17 00:00:00 2001 From: mbelfares Date: Sun, 7 Jun 2026 17:13:41 +0200 Subject: [PATCH] feat: manual only deployment --- helm/airflow/values.yaml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/helm/airflow/values.yaml b/helm/airflow/values.yaml index 5e5df84..2b32f81 100644 --- a/helm/airflow/values.yaml +++ b/helm/airflow/values.yaml @@ -32,9 +32,33 @@ apiServer: "access_token_url": "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/realms/airflow-realm/protocol/openid-connect/token", "authorize_url": "http://keycloak.49.13.143.254.nip.io/auth/realms/airflow-realm/protocol/openid-connect/auth", "jwks_uri": "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/realms/airflow-realm/protocol/openid-connect/certs", + "userinfo_endpoint": "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/realms/airflow-realm/protocol/openid-connect/userinfo", "client_kwargs": { - "scope": "openid email profile" + "scope": "openid email profile", + "verify": False } } } ] + + from airflow.www.security import AirflowSecurityManager + from flask_appbuilder.security.manager import AUTH_OAUTH + import jwt + import logging + + class CustomSecurityManager(AirflowSecurityManager): + def oauth_user_info(self, provider, response=None): + if provider == "keycloak": + token = response.get("access_token") + data = jwt.decode(token, options={"verify_signature": False}) + logging.debug("Keycloak user info: %s", data) + return { + "username": data.get("preferred_username", ""), + "first_name": data.get("given_name", ""), + "last_name": data.get("family_name", ""), + "email": data.get("email", ""), + "role_keys": data.get("roles", []), + } + return {} + + SECURITY_MANAGER_CLASS = CustomSecurityManager