OpenMetadata/openmetadata-docs/content/v1.7.x/deployment/security/basic-auth/index.md

---
title: Basic Authentication
slug: /deployment/security/basic-auth
collate: false
---

# UserName/Password Login

Out of the box, OpenMetadata comes with a Username & Password Login Mechanism.

The default Username and Password for Login are:

```commandline
Username - admin@open-metadata.org
Password - admin
```
When using a custom domain, configure the principal domain as follows:

```yaml
config:
    authorizer:
      adminPrincipals: [admin]
      principalDomain: "yourdomain.com"
```

With this setup, the default Username will be `admin@yourdomain.com`.

{%important%}

Security requirements for your **production** environment:
- **DELETE** the admin default account shipped by OM.
- **UPDATE** the Private / Public keys used for the [JWT Tokens](/deployment/security/enable-jwt-tokens) in case it is enabled.

{%/important%}

# Setting up Basic Auth Manually

Below are the required steps to set up the Basic Login:

## Set up Configurations in openmetadata.yaml

### Authentication Configuration

The following configuration controls the auth mechanism for OpenMetadata. Update the mentioned fields as required.

```yaml
authenticationConfiguration:
  provider: ${AUTHENTICATION_PROVIDER:-basic}
  publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[{your domain}/api/v1/system/config/jwks]} # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens
  authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com}
  enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
```

For the Basic auth we need to set:
 
-  `provider`: basic
-  `publicKeyUrls`: {http|https}://{your_domain}:{port}}/api/v1/system/config/jwks
-  `authority`: {your_domain}
-  `enableSelfSignup`: This flag indicates if users can come and signup by themselves on the OM

### Authorizer Configuration

This configuration controls the authorizer for OpenMetadata:

```yaml
authorizerConfiguration:
  adminPrincipals: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]}
  allowedEmailRegistrationDomains: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]}
  principalDomain: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"open-metadata.org"}
```

For the Basic auth we need to set:

- `adminPrincipals`: admin usernames to bootstrap the server with, comma-separated values.
- `allowedEmailRegistrationDomains`: This controls what all domain are allowed for email registration can be your {principalDomain} as well, for example gmail.com, outlook.comm etc.
- `principalDomain`: This controls what all domain are allowed for email registration, for example gmail.com, outlook.comm etc. When `AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN` is set to `true`, only users with email addresses from the `AUTHORIZER_PRINCIPAL_DOMAIN` can log in.

{%note%}

Please note the following are the formats to bootstrap admins on server startup: `[admin1,admin2,admin3]`

This works for SMTP-enabled servers, Login Password for these are generated randomly and sent to the mail `adminName`@`principalDomain`. 

If SMTP is not enabled for OpenMetadata, please use the method below to create admin users: `[admin1, admin2, admin3]`. The default password for all admin users will be admin.

After logging into the OpenMetadata UI, admin users can change their default password by navigating to `Settings > Members > Admins`.

{%/note%}

## Metadata Ingestion

For ingesting metadata when Basic Auth is enabled, it is mandatory to configure the `ingestion-bot` account with the JWT 
configuration. To know how to enable it, you can follow the documentation of [Enable JWT Tokens](/deployment/security/enable-jwt-tokens).


### Setting up SMTP Server

Basic Authentication is successfully set. For a better login experience, we can also set up the SMTP server to allow the 
users to Reset Password, Account Status Updates, etc. as well.

```yaml
email:
  emailingEntity: ${OM_EMAIL_ENTITY:-"OpenMetadata"} -> Company Name (Optional)
  supportUrl: ${OM_SUPPORT_URL:-"https://slack.open-metadata.org"} -> SupportUrl (Optional)
  enableSmtpServer : ${AUTHORIZER_ENABLE_SMTP:-false} -> True/False
  openMetadataUrl: ${OPENMETADATA_SERVER_URL:-""} -> {http/https}://{your_domain}
  senderMail: ${OPENMETADATA_SMTP_SENDER_MAIL:-""} -> Sender's email
  serverEndpoint: ${SMTP_SERVER_ENDPOINT:-""} -> (Ex :- smtp.gmail.com)
  serverPort: ${SMTP_SERVER_PORT:-""} -> (SSL/TLS port)
  username: ${SMTP_SERVER_USERNAME:-""} -> (SMTP Server Username)
  password: ${SMTP_SERVER_PWD:-""} -> (SMTP Server Password)
  transportationStrategy: ${SMTP_SERVER_STRATEGY:-"SMTP_TLS"}
```

Following are valid value for transportation strategy:

- `SMTP`: If SMTP port is 25 use this
- `SMTPS`: If SMTP port is 465 use this
- `SMTP_TLS`: If SMTP port is 587 use this

{% partial file="/v1.7/deployment/configure-ingestion.md" /%}
docs: add 1.5.x-SNAPSHOT (#16694) 2024-06-18 15:53:06 +02:00			`---`
			`title: Basic Authentication`
			`slug: /deployment/security/basic-auth`
DOCS - OSS deployment is flagged as Collate False (#17722) 2024-09-05 10:30:31 +02:00			`collate: false`
docs: add 1.5.x-SNAPSHOT (#16694) 2024-06-18 15:53:06 +02:00			`---`

			`# UserName/Password Login`

			`Out of the box, OpenMetadata comes with a Username & Password Login Mechanism.`

			`The default Username and Password for Login are:`

			```commandline
Docs: Updated Domain in Docker Compose & Docs (#17603) * Minor: Updating Domain in Docker Compose & Docs * replace openmetadata to open-metadata --------- Co-authored-by: Prajwal Pandit <prajwalpandit@Prajwals-MacBook-Air.local> Co-authored-by: Chirag Madlani <12962843+chirag-madlani@users.noreply.github.com> Co-authored-by: Shailesh Parmar <shailesh.parmar.webdev@gmail.com> 2024-09-09 11:47:09 +05:30			`Username - admin@open-metadata.org`
docs: add 1.5.x-SNAPSHOT (#16694) 2024-06-18 15:53:06 +02:00			`Password - admin`
			```
Docs: Updated Domain in Docker Compose & Docs (#17603) * Minor: Updating Domain in Docker Compose & Docs * replace openmetadata to open-metadata --------- Co-authored-by: Prajwal Pandit <prajwalpandit@Prajwals-MacBook-Air.local> Co-authored-by: Chirag Madlani <12962843+chirag-madlani@users.noreply.github.com> Co-authored-by: Shailesh Parmar <shailesh.parmar.webdev@gmail.com> 2024-09-09 11:47:09 +05:30			`When using a custom domain, configure the principal domain as follows:`

			```yaml
			`config:`
			`authorizer:`
			`adminPrincipals: [admin]`
			`principalDomain: "yourdomain.com"`
			```

			With this setup, the default Username will be `admin@yourdomain.com`.
docs: add 1.5.x-SNAPSHOT (#16694) 2024-06-18 15:53:06 +02:00
			`{%important%}`

			`Security requirements for your production environment:`
			`- DELETE the admin default account shipped by OM.`
			`- UPDATE the Private / Public keys used for the [JWT Tokens](/deployment/security/enable-jwt-tokens) in case it is enabled.`

			`{%/important%}`

			`# Setting up Basic Auth Manually`

			`Below are the required steps to set up the Basic Login:`

			`## Set up Configurations in openmetadata.yaml`

			`### Authentication Configuration`

			`The following configuration controls the auth mechanism for OpenMetadata. Update the mentioned fields as required.`

			```yaml
			`authenticationConfiguration:`
			`provider: ${AUTHENTICATION_PROVIDER:-basic}`
			`publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[{your domain}/api/v1/system/config/jwks]} # Update with your Domain and Make sure this "/api/v1/system/config/jwks" is always configured to enable JWT tokens`
			`authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com}`
			`enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}`
			```

			`For the Basic auth we need to set:`

			- `provider`: basic
			- `publicKeyUrls`: {http\|https}://{your_domain}:{port}}/api/v1/system/config/jwks
			- `authority`: {your_domain}
			- `enableSelfSignup`: This flag indicates if users can come and signup by themselves on the OM

			`### Authorizer Configuration`

			`This configuration controls the authorizer for OpenMetadata:`

			```yaml
			`authorizerConfiguration:`
			`adminPrincipals: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]}`
			`allowedEmailRegistrationDomains: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]}`
Docs: Updated Domain in Docker Compose & Docs (#17603) * Minor: Updating Domain in Docker Compose & Docs * replace openmetadata to open-metadata --------- Co-authored-by: Prajwal Pandit <prajwalpandit@Prajwals-MacBook-Air.local> Co-authored-by: Chirag Madlani <12962843+chirag-madlani@users.noreply.github.com> Co-authored-by: Shailesh Parmar <shailesh.parmar.webdev@gmail.com> 2024-09-09 11:47:09 +05:30			`principalDomain: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"open-metadata.org"}`
docs: add 1.5.x-SNAPSHOT (#16694) 2024-06-18 15:53:06 +02:00			```

			`For the Basic auth we need to set:`

			- `adminPrincipals`: admin usernames to bootstrap the server with, comma-separated values.
			- `allowedEmailRegistrationDomains`: This controls what all domain are allowed for email registration can be your {principalDomain} as well, for example gmail.com, outlook.comm etc.
Docs: Principal Domain Pointer Updation (#20516) Co-authored-by: Rounak Dhillon <rounakdhillon@Rounaks-MacBook-Air.local> Co-authored-by: Prajwal214 <167504578+Prajwal214@users.noreply.github.com> 2025-03-31 18:28:43 +05:30			- `principalDomain`: This controls what all domain are allowed for email registration, for example gmail.com, outlook.comm etc. When `AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN` is set to `true`, only users with email addresses from the `AUTHORIZER_PRINCIPAL_DOMAIN` can log in.
docs: add 1.5.x-SNAPSHOT (#16694) 2024-06-18 15:53:06 +02:00
			`{%note%}`

			Please note the following are the formats to bootstrap admins on server startup: `[admin1,admin2,admin3]`

			This works for SMTP-enabled servers, Login Password for these are generated randomly and sent to the mail `adminName`@`principalDomain`.

Doc: Updating Admin Credentials configs (#17513) Co-authored-by: Prajwal Pandit <prajwalpandit@Prajwals-MacBook-Air.local> 2024-08-21 11:26:37 +05:30			If SMTP is not enabled for OpenMetadata, please use the method below to create admin users: `[admin1, admin2, admin3]`. The default password for all admin users will be admin.
docs: add 1.5.x-SNAPSHOT (#16694) 2024-06-18 15:53:06 +02:00
Doc: Updating Admin Credentials configs (#17513) Co-authored-by: Prajwal Pandit <prajwalpandit@Prajwals-MacBook-Air.local> 2024-08-21 11:26:37 +05:30			After logging into the OpenMetadata UI, admin users can change their default password by navigating to `Settings > Members > Admins`.
docs: add 1.5.x-SNAPSHOT (#16694) 2024-06-18 15:53:06 +02:00
			`{%/note%}`

			`## Metadata Ingestion`

			For ingesting metadata when Basic Auth is enabled, it is mandatory to configure the `ingestion-bot` account with the JWT
			`configuration. To know how to enable it, you can follow the documentation of [Enable JWT Tokens](/deployment/security/enable-jwt-tokens).`


			`### Setting up SMTP Server`

			`Basic Authentication is successfully set. For a better login experience, we can also set up the SMTP server to allow the`
			`users to Reset Password, Account Status Updates, etc. as well.`

			```yaml
			`email:`
			`emailingEntity: ${OM_EMAIL_ENTITY:-"OpenMetadata"} -> Company Name (Optional)`
			`supportUrl: ${OM_SUPPORT_URL:-"https://slack.open-metadata.org"} -> SupportUrl (Optional)`
			`enableSmtpServer : ${AUTHORIZER_ENABLE_SMTP:-false} -> True/False`
			`openMetadataUrl: ${OPENMETADATA_SERVER_URL:-""} -> {http/https}://{your_domain}`
			`senderMail: ${OPENMETADATA_SMTP_SENDER_MAIL:-""} -> Sender's email`
			`serverEndpoint: ${SMTP_SERVER_ENDPOINT:-""} -> (Ex :- smtp.gmail.com)`
			`serverPort: ${SMTP_SERVER_PORT:-""} -> (SSL/TLS port)`
			`username: ${SMTP_SERVER_USERNAME:-""} -> (SMTP Server Username)`
			`password: ${SMTP_SERVER_PWD:-""} -> (SMTP Server Password)`
			`transportationStrategy: ${SMTP_SERVER_STRATEGY:-"SMTP_TLS"}`
			```

			`Following are valid value for transportation strategy:`

			- `SMTP`: If SMTP port is 25 use this
			- `SMTPS`: If SMTP port is 465 use this
			- `SMTP_TLS`: If SMTP port is 587 use this

Docs: Update the 1.7 content references (#19011) * Update the partial references for 1.7.x-SNAPSHOT * Delete image folder for 1.4 and add images for 1.7 * Update the new connector stages 2024-12-12 11:34:09 +05:30			`{% partial file="/v1.7/deployment/configure-ingestion.md" /%}`