Mapping Keycloak Roles to Airflow

This topic describes the mapping of Keycloak roles to Airflow roles.

The configuration of SSO authorization for Airflow happens automatically.

If SSO configuration is already available on a Data Fabric cluster, then Airflow's roles and Data Fabric's roles get mapped as follow:
Data Fabric Roles Air Flow Roles
fabric-manager Admin
infrastructure-admin Op
developer User

Roles other than that are mentioned above can be mapped manually as follows:

Mapping of Keycloak Roles to Airflow

You need to first configure the roles in Keycloak, and then map it to Airflow roles. For details on adding new role in Keycloak see Adding New Users to Keycloak.

To map the roles, do the steps that follow:
  1. Map the role created in Keycloak to AUTH_ROLES_MAPPING variable in <airflow_home>/conf/webserver_config.py file.
  2. If the default SSO configuration was changed or disabled do one of the following:
    • Run the configure.sh script WITHOUT -R option. For details, see configure.sh. Or
    • Change the settings manually in <airflow_home>/conf/webserver_config.py file.
  3. Restarts the Airflow web server.

Manual Disabling of SSO at Airflow

To manually disable SSO and changes the authentication to AUTH_DB, do the step that follow:
  1. Change the following parameters in <airflow_home>/conf/webserver_config.py as follows:
    • AUTH_TYPE = AUTH_DB
    • AUTH_USER_REGISTRATION=False
    • Comment out the line with LOGOUT_REDIRECT_URL.
  2. Restart the Airflow web server.