yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-11-01 19:18:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Doc: Adding Note for JWT_PRINCIPAL_CLAIMS Order (#17369)

Browse Source 
Co-authored-by: Prajwal Pandit <prajwalpandit@Prajwals-MacBook-Air.local>
This commit is contained in:
Prajwal214 2024-08-10 10:53:09 +05:30 committed by GitHub
parent 453c20f53e
commit 08dadfabc1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
14 changed files with 102 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
openmetadata-docs/content/v1.4.x/deployment/security/azure/bare-metal.md
View File

@ -24,6 +24,12 @@ Then,
- Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below.
- Update the `principalDomain` to your company domain name.
{% note %}
Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order.
{% /note %}
```yaml
authorizerConfiguration:
className: "org.openmetadata.service.security.DefaultAuthorizer"

6
openmetadata-docs/content/v1.4.x/deployment/security/azure/docker.md
View File

@ -28,6 +28,12 @@ AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Appli
AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
```
{% note %}
Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order.
{% /note %}
## 2. Start Docker
```commandline

15
openmetadata-docs/content/v1.4.x/deployment/security/azure/index.md
View File

@ -44,6 +44,21 @@ Admin permissions are required to register the application on the Azure portal.
- Provide a redirect URL as a `Single Page Application`.
- Click on `Register`.
{% note %}
- **SPA (Single Page Application):**
This type is designed for implicit flows. In this case, providing both the client ID and client secret will result in a failure because the implicit flow only requires the client ID for authentication.
- **Web:**
This type is intended for confidential clients. If you select this option, you must provide both the client ID and client secret. Simply passing the client ID will cause the authorization process to fail, as the Authorization Code flow requires both credentials for successful authentication.
### Recommendation:
- Use the **Web** type for confidential clients that require both a client ID and secret.
- Use the **SPA** type for applications using implicit flows where only a client ID is needed.
{% /note %}
{% image src="/images/v1.4/deployment/security/azure/create-app-3.png" alt="create-app" /%}
### Step 3: Where to Find the Credentials

6
openmetadata-docs/content/v1.4.x/deployment/security/azure/kubernetes.md
View File

@ -31,4 +31,10 @@ openmetadata:
callbackUrl: "http://localhost:8585/callback"
```
{% note %}
Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order.
{% /note %}
{% partial file="/v1.4/deployment/configure-ingestion.md" /%}

6
openmetadata-docs/content/v1.4.x/deployment/security/keycloak/bare-metal.md
View File

@ -30,6 +30,12 @@ Then,
- Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below.
- Update the `principalDomain` to your company domain name.
{% note %}
Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order.
{% /note %}
```yaml
authorizerConfiguration:
className: "org.openmetadata.service.security.DefaultAuthorizer"

6
openmetadata-docs/content/v1.4.x/deployment/security/keycloak/docker.md
View File

@ -29,6 +29,12 @@ AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID
AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
```
{% note %}
Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order.
{% /note %}
## 2. Start Docker
```commandline

6
openmetadata-docs/content/v1.4.x/deployment/security/keycloak/kubernetes.md
View File

@ -31,4 +31,10 @@ openmetadata:
callbackUrl: "http://localhost:8585/callback"
```
{% note %}
Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order.
{% /note %}
{% partial file="/v1.4/deployment/configure-ingestion.md" /%}

6
openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/bare-metal.md
View File

@ -24,6 +24,12 @@ Then,
- Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below.
- Update the `principalDomain` to your company domain name.
{% note %}
Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order.
{% /note %}
```yaml
authorizerConfiguration:
className: "org.openmetadata.service.security.DefaultAuthorizer"

6
openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/docker.md
View File

@ -28,6 +28,12 @@ AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Appli
AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
```
{% note %}
Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order.
{% /note %}
## 2. Start Docker
```commandline

15
openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/index.md
View File

@ -44,6 +44,21 @@ Admin permissions are required to register the application on the Azure portal.
- Provide a redirect URL as a `Single Page Application`.
- Click on `Register`.
{% note %}
- **SPA (Single Page Application):**
This type is designed for implicit flows. In this case, providing both the client ID and client secret will result in a failure because the implicit flow only requires the client ID for authentication.
- **Web:**
This type is intended for confidential clients. If you select this option, you must provide both the client ID and client secret. Simply passing the client ID will cause the authorization process to fail, as the Authorization Code flow requires both credentials for successful authentication.
### Recommendation:
- Use the **Web** type for confidential clients that require both a client ID and secret.
- Use the **SPA** type for applications using implicit flows where only a client ID is needed.
{% /note %}
{% image src="/images/v1.5/deployment/security/azure/create-app-3.png" alt="create-app" /%}
### Step 3: Where to Find the Credentials

6
openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/kubernetes.md
View File

@ -31,4 +31,10 @@ openmetadata:
callbackUrl: "http://localhost:8585/callback"
```
{% note %}
Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order.
{% /note %}
{% partial file="/v1.5/deployment/configure-ingestion.md" /%}

6
openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/bare-metal.md
View File

@ -30,6 +30,12 @@ Then,
- Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below.
- Update the `principalDomain` to your company domain name.
{% note %}
Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order.
{% /note %}
```yaml
authorizerConfiguration:
className: "org.openmetadata.service.security.DefaultAuthorizer"

6
openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/docker.md
View File

@ -29,6 +29,12 @@ AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID
AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
```
{% note %}
Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order.
{% /note %}
## 2. Start Docker
```commandline

6
openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/kubernetes.md
View File

@ -31,4 +31,10 @@ openmetadata:
callbackUrl: "http://localhost:8585/callback"
```
{% note %}
Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order.
{% /note %}
{% partial file="/v1.5/deployment/configure-ingestion.md" /%}