Mapping Keycloak Roles to Airflow
This topic describes the mapping of Keycloak roles to Airflow roles.
The configuration of SSO authorization for Airflow happens automatically.
If SSO configuration is already available on a Data Fabric
cluster, then Airflow's roles and Data Fabric's roles get
mapped as follow:
Data Fabric Roles | Air Flow Roles |
---|---|
fabric-manager |
Admin |
infrastructure-admin |
Op |
developer |
User |
Roles other than that are mentioned above can be mapped manually as follows:
Mapping of Keycloak Roles to Airflow
You need to first configure the roles in Keycloak, and then map it to Airflow roles. For details on adding new role in Keycloak see Adding New Users to Keycloak.
To map the roles, do the steps that follow:
- Map the role created in Keycloak to
AUTH_ROLES_MAPPING
variable in<airflow_home>/conf/webserver_config.py
file. - If the default SSO configuration was changed or disabled do one of the following:
- Run the
configure.sh
script WITHOUT-R
option. For details, see configure.sh. Or - Change the settings manually in
<airflow_home>/conf/webserver_config.py
file.
- Run the
- Restarts the Airflow web server.
Manual Disabling of SSO at Airflow
To manually disable SSO and changes the authentication to
AUTH_DB
, do the
step that follow:- Change the following parameters in
<airflow_home>/conf/webserver_config.py
as follows:AUTH_TYPE = AUTH_DB
AUTH_USER_REGISTRATION=False
- Comment out the line with
LOGOUT_REDIRECT_URL
.
- Restart the Airflow web server.