-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Tarun
committed
Jan 3, 2025
1 parent
9edc078
commit 11c710e
Showing
53 changed files
with
2,661 additions
and
822 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -8,32 +8,72 @@ collate: false | |
|
|
||
| ## Update conf/openmetadata.yaml | ||
|
|
||
| Once the `Client Id` is generated, add the `Client Id` in `openmetadata.yaml` file in `client_id` field. | ||
| In `openmetadata.yaml` file and use the following example as a reference. Replace the placeholder values with the details generated during your Auth0 account and application credentials setup. | ||
|
|
||
| ```yaml | ||
| authenticationConfiguration: | ||
| provider: "auth0" | ||
| publicKeyUrls: | ||
| - "https://parth-panchal.us.auth0.com/.well-known/jwks.json" | ||
| - "{your domain}/api/v1/system/config/jwks" #Make sure this URL is always configured to enable JWT tokens | ||
| authority: "https://parth-panchal.us.auth0.com/" | ||
| clientId: "{Client ID}" | ||
| callbackUrl: "http://localhost:8585/callback" | ||
| ``` | ||
| Check the more information about environment variable [here](/deployment/security/configuration-parameters). | ||
|
|
||
| Then, | ||
| - Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below. | ||
| - Update the `principalDomain` to your company domain name. | ||
|
|
||
| ```yaml | ||
| {% codeWithLanguageSelector title="Auth Configuration" id="container-1" languagesArray=["implicit","authcode"] theme="dark" %} | ||
| ```implicit | ||
| # Implicit Flow Configuration | ||
| authorizerConfiguration: | ||
| className: "org.openmetadata.service.security.DefaultAuthorizer" | ||
| # JWT Filter | ||
| containerRequestFilter: "org.openmetadata.service.security.JwtFilter" | ||
| adminPrincipals: | ||
| - "user1" | ||
| - "user2" | ||
| principalDomain: "open-metadata.org" | ||
| adminPrincipals: | ||
| - "admin" # Administrator email prefix (e.g., "admin" from "[email protected]") | ||
| - "user1" # Additional administrator email prefix | ||
| - "user2" # Additional administrator email prefix | ||
| principalDomain: "open-metadata.org" # Primary domain for your organization (e.g., "yourdomain.com") | ||
| principalDomain: "open-metadata.org" # Update with your Domain,The primary domain for the organization (example.com from [email protected]). | ||
| authenticationConfiguration: | ||
| provider: "auth0" # Authentication provider, set to "auth0" | ||
| publicKeyUrls: | ||
| - "https://{Auth0 Domain Name}/.well-known/jwks.json" # Replace {Auth0 Domain Name} with your Auth0 domain | ||
| - "{Your OMD Server URL}/api/v1/system/config/jwks" # Replace {Your OMD Server URL} with your OpenMetadata server URL | ||
| authority: "https://{Your Auth0 Domain}" # Base URL of your Auth0 domain | ||
| clientId: "{Client ID}" # Auth0 Client ID for your application | ||
| callbackUrl: "http://localhost:8585/callback" # Callback URL for OpenMetadata authentication | ||
| clientType: "public" # Set to "public" for implicit flow | ||
| ``` | ||
| ```authcode | ||
| # Auth Code Flow Configuration | ||
| authorizerConfiguration: | ||
| className: "org.openmetadata.service.security.DefaultAuthorizer" | ||
| containerRequestFilter: "org.openmetadata.service.security.JwtFilter" | ||
| adminPrincipals: | ||
| - "admin" # Administrator email prefix (e.g., "admin" from "[email protected]") | ||
| - "user1" # Additional administrator email prefix | ||
| - "user2" # Additional administrator email prefix | ||
| principalDomain: "open-metadata.org" # Primary domain for your organization (e.g., "yourdomain.com") | ||
| authenticationConfiguration: | ||
| provider: "auth0" # Authentication provider, set to "auth0" | ||
| publicKeyUrls: | ||
| - "https://{Auth0 Domain Name}/.well-known/jwks.json" # Replace {Auth0 Domain Name} with your Auth0 domain | ||
| - "{Your OMD Server URL}/api/v1/system/config/jwks" # Replace {Your OMD Server URL} with your OpenMetadata server URL | ||
| authority: "https://{Your Auth0 Domain}" # Base URL of your Auth0 domain | ||
| clientId: "{Client ID}" # Auth0 Client ID for your application | ||
| callbackUrl: "http://localhost:8585/callback" # Callback URL for OpenMetadata authentication | ||
| clientType: "confidential" # Set to "confidential" for auth code flow | ||
| oidcConfiguration: | ||
| id: "{Client ID}" # Auth0 Client ID for your application | ||
| type: "auth0" # Ensure this matches your provider type | ||
| secret: "{Client Secret}" # Auth0 Client Secret for your application | ||
| discoveryUri: "https://{Auth0 Domain Name}/.well-known/openid-configuration" | ||
| # Discovery URI for OpenID configuration; replace {Auth0 Domain Name} with your Auth0 domain | ||
| callbackUrl: "http://localhost:8585/callback" # Callback URL for OpenMetadata authentication | ||
| serverUrl: "http://localhost:8585" # OpenMetadata server URL; update for production environments | ||
| ``` | ||
| {% /codeWithLanguageSelector %} | ||
|
|
||
| {% partial file="/v1.6/deployment/configure-ingestion.md" /%} | ||
|
|
||
| {% inlineCalloutContainer %} | ||
| {% inlineCallout | ||
| color="violet-70" | ||
| icon="MdArrowBack" | ||
| bold="Auth" | ||
| href="/deployment/security/auth0" %} | ||
| Go to Auth0 Configuration | ||
| {% /inlineCallout %} | ||
| {% /inlineCalloutContainer %} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,28 +10,68 @@ To enable security for the Docker deployment, follow the next steps: | |
|
|
||
| ## 1. Create an .env file | ||
|
|
||
| Create an `openmetadata_auth0.env` file and add the following contents as an example. Use the information | ||
| generated when setting up the account. | ||
| Create an `openmetadata_auth0.env` file and use the following example as a reference. Replace the placeholder values with the details generated during your Auth0 account and application credentials setup. | ||
|
|
||
| ```shell | ||
| # OpenMetadata Server Authentication Configuration | ||
| Check the more information about environment variable [here](/deployment/security/configuration-parameters). | ||
|
|
||
|
|
||
| {% codeWithLanguageSelector title="Auth Configuration" id="container-1" languagesArray=["implicit","authcode"] theme="dark" %} | ||
|
|
||
| ```implicit | ||
| # Implicit Flow | ||
| AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer | ||
| AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter | ||
| AUTHORIZER_ADMIN_PRINCIPALS=[admin] # Your `name` from [email protected] | ||
| AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain | ||
| AUTHORIZER_ADMIN_PRINCIPALS=[admin] # john.doe from [email protected] | ||
| AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your Domain,The primary domain for the organization (example.com from [email protected]). | ||
| AUTHENTICATION_PROVIDER=auth0 | ||
| AUTHENTICATION_PUBLIC_KEYS=[{Domain}/.well-known/jwks.json,{your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens | ||
| AUTHENTICATION_AUTHORITY={Domain} # The base URL of the authentication provider. | ||
| AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID | ||
| AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback | ||
| AUTHENTICATION_CLIENT_TYPE= public | ||
| ``` | ||
|
|
||
| ```authcode | ||
| # Auth Code Flow | ||
| AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer | ||
| AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter | ||
| AUTHORIZER_ADMIN_PRINCIPALS=[admin] # john.doe from [email protected] | ||
| AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your Domain,The primary domain for the organization (example.com from [email protected]). | ||
| AUTHENTICATION_PROVIDER=auth0 | ||
| AUTHENTICATION_PUBLIC_KEYS=[{Domain}/.well-known/jwks.json,{your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens | ||
| AUTHENTICATION_PUBLIC_KEYS=[{Domain}/.well-known/jwks.json,{your domain}/api/v1/system/config/jwks] # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens | ||
| AUTHENTICATION_AUTHORITY={Domain} # The base URL of the authentication provider. | ||
| AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID | ||
| AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback | ||
| AUTHENTICATION_CLIENT_TYPE= confidential | ||
| OIDC_CLIENT_ID={Client ID} # Update with your Client ID | ||
| OIDC_TYPE=auth0 | ||
| OIDC_CLIENT_SECRET={Client Secret} # Update with your Client Secret | ||
| OIDC_DISCOVERY_URI: http://{Domain}/.well-known/openid-configuration # Update with your Domain | ||
| OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} | ||
| AUTHENTICATION_AUTHORITY={Domain} # Update with your Domain | ||
| AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID | ||
| AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback | ||
| ``` | ||
|
|
||
| {% /codeWithLanguageSelector %} | ||
|
|
||
|
|
||
|
|
||
| ## 2. Start Docker | ||
|
|
||
| ```commandline | ||
| docker compose --env-file ~/openmetadata_auth0.env up -d | ||
| ``` | ||
|
|
||
| {% partial file="/v1.6/deployment/configure-ingestion.md" /%} | ||
|
|
||
|
|
||
| {% inlineCalloutContainer %} | ||
| {% inlineCallout | ||
| color="violet-70" | ||
| icon="MdArrowBack" | ||
| bold="Auth" | ||
| href="/deployment/security/auth0" %} | ||
| Go to Auth0 Configuration | ||
| {% /inlineCallout %} | ||
| {% /inlineCalloutContainer %} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,27 +7,83 @@ collate: false | |
| # Auth0 SSO for Kubernetes | ||
|
|
||
| Check the Helm information [here](https://artifacthub.io/packages/search?repo=open-metadata). | ||
| Check the more information about environment variable [here](/deployment/security/configuration-parameters). | ||
|
|
||
| Once the `Client Id` is generated, see the snippet below for an example of where to | ||
| place the client id value and update the authorizer configurations in the `values.yaml`. | ||
| Here is an example for reference, showing where to place the values in the `values.yaml` file after setting up your Auth0 account and obtaining the application credentials. | ||
|
|
||
| {% codeWithLanguageSelector title="Auth Configuration" id="container-1" languagesArray=["implicit","authcode"] theme="dark" %} | ||
|
|
||
| ```implicit | ||
| # Public Flow | ||
| ```yaml | ||
| openmetadata: | ||
| config: | ||
| authorizer: | ||
| className: "org.openmetadata.service.security.DefaultAuthorizer" | ||
| containerRequestFilter: "org.openmetadata.service.security.JwtFilter" | ||
| initialAdmins: | ||
| - "suresh" | ||
| principalDomain: "open-metadata.org" | ||
| initialAdmins: # john.doe from [email protected] | ||
| - "admin" | ||
| - "user1" | ||
| - "user2" | ||
| principalDomain: "open-metadata.org" # Update with your Domain,The primary domain for the organization (example.com from [email protected]). | ||
| authentication: | ||
| clientType: public | ||
| provider: "auth0" | ||
| publicKeys: | ||
| - "{your domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens | ||
| - "{Auth0 Domain Name}/.well-known/jwks.json" | ||
| authority: "https://parth-panchal.us.auth0.com/" | ||
| authority: "{Your Auth0 Domain}" # The base URL of the authentication provider. | ||
| clientId: "{Client ID}" | ||
| callbackUrl: "http://localhost:8585/callback" | ||
| ``` | ||
|
|
||
| ```authcode | ||
| # Auth Code Flow | ||
| openmetadata: | ||
| config: | ||
| authorizer: | ||
| className: "org.openmetadata.service.security.DefaultAuthorizer" | ||
| containerRequestFilter: "org.openmetadata.service.security.JwtFilter" | ||
| initialAdmins: # john.doe from [email protected] | ||
| - "admin" | ||
| - "user1" | ||
| - "user2" | ||
| principalDomain: "open-metadata.org" # Update with your Domain,The primary domain for the organization (example.com from [email protected]). | ||
| authentication: | ||
| clientType: confidential | ||
| provider: "auth0" | ||
| publicKeys: # List of URLs providing public keys for verifying JWT tokens. | ||
| - "{Your Domain}/api/v1/system/config/jwks" # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens | ||
| - "{Auth0 Domain Name}/.well-known/jwks.json | ||
| authority: "{Your Auth0 Domain}" # The base URL of the authentication provider. | ||
| clientId: "{Client ID}" # Update your Client ID | ||
| callbackUrl: "http://localhost:8585/callback" | ||
| oidcConfiguration: | ||
| oidcType: "Auth0" | ||
| clientId: | ||
| secretRef: oidc-secrets | ||
| secretKey: openmetadata-oidc-client-id | ||
| clientSecret: | ||
| secretRef: oidc-secrets | ||
| secretKey: openmetadata-oidc-client-secret | ||
| discoveryUri: "{Domain name}/.well-known/openid-configuration" # Update your Auth0 Domain | ||
| callbackUrl: http://localhost:8585/callback | ||
| serverUrl: http://localhost:8585 | ||
| ``` | ||
|
|
||
| {% /codeWithLanguageSelector %} | ||
|
|
||
| {% partial file="/v1.6/deployment/configure-ingestion.md" /%} | ||
|
|
||
| {% inlineCalloutContainer %} | ||
| {% inlineCallout | ||
| color="violet-70" | ||
| icon="MdArrowBack" | ||
| bold="Auth" | ||
| href="/deployment/security/auth0" %} | ||
| Go to Auth0 Configuration | ||
| {% /inlineCallout %} | ||
| {% /inlineCalloutContainer %} | ||
69 changes: 69 additions & 0 deletions
69
openmetadata-docs/content/v1.6.x/deployment/security/azure/auth-code-flow.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| --- | ||
| title: Auth0 SSO for Docker | ||
| slug: /deployment/security/azure/auth-code-flow | ||
| collate: false | ||
| --- | ||
|
|
||
| # Auth Code Flow | ||
|
|
||
|
|
||
| ### Step 1: App Registrations | ||
|
|
||
| - Provide an Application Name for registration. | ||
| - Provide a redirect URL as a Auth Code Flow. | ||
| - Click on Register. | ||
|
|
||
| {% image src="/images/v1.6/deployment/security/azure/create-web-registration.png" alt="create-app" /%} | ||
|
|
||
|
|
||
|
|
||
| ### Step 2: Where to Find the Credentials | ||
|
|
||
| - The `Client ID` and the `Tenant ID` are displayed in the Overview section of the registered application. | ||
|
|
||
| {% image src="/images/v1.6/deployment/security/azure/web-client-secret.png" alt="create-app" /%} | ||
|
|
||
| - When passing the details for `authority`, the `Tenant ID` is added to the URL as shown in the example | ||
| below. `https://login.microsoftonline.com/TenantID` | ||
|
|
||
| ```commandline | ||
| "authority": "https://login.microsoftonline.com/c11234b7c-b1b2-9854-0mn1-56abh3dea295" | ||
| ``` | ||
|
|
||
| {% partial file="/v1.6/deployment/configure-ingestion.md" /%} | ||
|
|
||
|
|
||
| {% inlineCalloutContainer %} | ||
| {% inlineCallout | ||
| color="violet-70" | ||
| icon="celebration" | ||
| bold="Docker Security" | ||
| href="/deployment/security/azure/docker" %} | ||
| Configure Azure SSO for your Docker Deployment. | ||
| {% /inlineCallout %} | ||
| {% inlineCallout | ||
| color="violet-70" | ||
| icon="storage" | ||
| bold="Bare Metal Security" | ||
| href="/deployment/security/azure/bare-metal" %} | ||
| Configure Azure SSO for your Bare Metal Deployment. | ||
| {% /inlineCallout %} | ||
| {% inlineCallout | ||
| color="violet-70" | ||
| icon="fit_screen" | ||
| bold="Kubernetes Security" | ||
| href="/deployment/security/azure/kubernetes" %} | ||
| Configure Azure SSO for your Kubernetes Deployment. | ||
| {% /inlineCallout %} | ||
| {% /inlineCalloutContainer %} | ||
|
|
||
|
|
||
| {% inlineCalloutContainer %} | ||
| {% inlineCallout | ||
| color="violet-70" | ||
| icon="MdArrowBack" | ||
| bold="Azure" | ||
| href="/deployment/security/azure" %} | ||
| Go to Azure Configuration | ||
| {% /inlineCallout %} | ||
| {% /inlineCalloutContainer %} |
Oops, something went wrong.