Fixes #8313 Deprecate botPrincipals from open metadata configuration (#8314)

2025-10-11 16:58:38 +00:00 · 2022-10-21 20:49:41 -07:00 · 2022-10-21 20:49:41 -07:00 · 0d75eb9ff2
commit 0d75eb9ff2
parent 268d1171f1
23 changed files with 18 additions and 61 deletions
--- a/conf/openmetadata.yaml
+++ b/conf/openmetadata.yaml
@ -137,7 +137,6 @@ authorizerConfiguration:
  containerRequestFilter: ${AUTHORIZER_REQUEST_FILTER:-org.openmetadata.service.security.JwtFilter}
  adminPrincipals: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]}
  allowedEmailRegistrationDomains: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]}
-  botPrincipals: ${AUTHORIZER_INGESTION_PRINCIPALS:-[ingestion-bot]}
  principalDomain: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"openmetadata.org"}
  enforcePrincipalDomain: ${AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN:-false}
  enableSecureSocketConnection : ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false}
--- a/openmetadata-docs/content/deployment/kubernetes/values.md
+++ b/openmetadata-docs/content/deployment/kubernetes/values.md
@ -27,7 +27,6 @@ This page list all the supported helm values for OpenMetadata Helm Charts.
 | global.authorizer.enforcePrincipalDomain | bool | `false` |
 | global.authorizer.enableSecureSocketConnection | bool | `false` |
 | global.authorizer.initialAdmins | list | `[admin]` |
-| global.authorizer.botPrincipals | list | `[ingestion-bot]` |
 | global.authorizer.principalDomain | string | `open-metadata.org` |
 | global.airflow.auth.password.secretRef | string | `airflow-secrets` |
 | global.airflow.auth.password.secretKey | string | `openmetadata-airflow-password` |
--- a/openmetadata-docs/content/deployment/security/amazon-cognito-sso/bare-metal.md
+++ b/openmetadata-docs/content/deployment/security/amazon-cognito-sso/bare-metal.md
@ -33,8 +33,6 @@ authorizerConfiguration:
  adminPrincipals:
    - "user1"
    - "user2"
-  botPrincipals:
-    - "ingestion-bot"
  principalDomain: "open-metadata.org"
 ```

--- a/openmetadata-docs/content/deployment/security/amazon-cognito-sso/kubernetes.md
+++ b/openmetadata-docs/content/deployment/security/amazon-cognito-sso/kubernetes.md
@ -18,8 +18,6 @@ global:
    initialAdmins:
      - "user1"
      - "user2"
-    botPrincipals:
-      - "<service_application_client_id>"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "google"
--- a/openmetadata-docs/content/deployment/security/auth0/bare-metal.md
+++ b/openmetadata-docs/content/deployment/security/auth0/bare-metal.md
@ -31,8 +31,6 @@ authorizerConfiguration:
  adminPrincipals:
    - "user1"
    - "user2"
-  botPrincipals:
-    - "ingestion-bot"
  principalDomain: "open-metadata.org"
 ```

--- a/openmetadata-docs/content/deployment/security/auth0/kubernetes.md
+++ b/openmetadata-docs/content/deployment/security/auth0/kubernetes.md
@ -19,8 +19,6 @@ global:
    containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
    initialAdmins: 
    - "suresh"
-    botPrincipals: 
-    - "<client_id>"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "auth0"
--- a/openmetadata-docs/content/deployment/security/azure/bare-metal.md
+++ b/openmetadata-docs/content/deployment/security/azure/bare-metal.md
@ -33,8 +33,6 @@ authorizerConfiguration:
  adminPrincipals:
    - "user1"
    - "user2"
-  botPrincipals:
-    - "ingestion-bot"
  principalDomain: "open-metadata.org"
 ```

--- a/openmetadata-docs/content/deployment/security/azure/kubernetes.md
+++ b/openmetadata-docs/content/deployment/security/azure/kubernetes.md
@ -30,8 +30,6 @@ global:
    initialAdmins:
      - "user1"
      - "user2"
-    botPrincipals:
-      - "<object-id-for-azure-service-application-enterprise-application>"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "azure"
@ -62,8 +60,6 @@ global:
    initialAdmins:
      - "user1"
      - "user2"
-    botPrincipals:
-      - "ingestion-bot"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "azure"
--- a/openmetadata-docs/content/deployment/security/custom-oidc/bare-metal.md
+++ b/openmetadata-docs/content/deployment/security/custom-oidc/bare-metal.md
@ -36,8 +36,6 @@ authorizerConfiguration:
  adminPrincipals:
    - "user1"
    - "user2"
-  botPrincipals:
-    - "ingestion-bot"
  principalDomain: "open-metadata.org"
 ```

--- a/openmetadata-docs/content/deployment/security/custom-oidc/kubernetes.md
+++ b/openmetadata-docs/content/deployment/security/custom-oidc/kubernetes.md
@ -20,8 +20,6 @@ global:
    initialAdmins:
      - "user1"
      - "user2"
-    botPrincipals:
-      - "<service_application_client_id>"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "custom-oidc"
@ -50,8 +48,6 @@ global:
    initialAdmins:
      - "user1"
      - "user2"
-    botPrincipals:
-      - "<service_application_client_id>"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "custom-oidc"
--- a/openmetadata-docs/content/deployment/security/google/bare-metal.md
+++ b/openmetadata-docs/content/deployment/security/google/bare-metal.md
@ -31,8 +31,6 @@ authorizerConfiguration:
  adminPrincipals:
    - "user1"
    - "user2"
-  botPrincipals:
-    - "ingestion-bot"
  principalDomain: "open-metadata.org"
 ```

--- a/openmetadata-docs/content/deployment/security/google/kubernetes.md
+++ b/openmetadata-docs/content/deployment/security/google/kubernetes.md
@ -20,8 +20,6 @@ global:
    initialAdmins:
      - "user1"
      - "user2"
-    botPrincipals:
-      - "<service_application_client_id>"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "google"
--- a/openmetadata-docs/content/deployment/security/keycloak/bare-metal.md
+++ b/openmetadata-docs/content/deployment/security/keycloak/bare-metal.md
@ -36,9 +36,6 @@ authorizerConfiguration:
  containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
  adminPrincipals:
    - "admin-user"
-  botPrincipals:
-    - "ingestion-bot"
-    - "service-account-open-metadata"
  principalDomain: "open-metadata.org"
 ```

--- a/openmetadata-docs/content/deployment/security/keycloak/kubernetes.md
+++ b/openmetadata-docs/content/deployment/security/keycloak/kubernetes.md
@ -26,9 +26,6 @@ global:
    containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
    initialAdmins:
      - "admin-user"
-    botPrincipals:
-      - "ingestion-bot"
-      - "service-account-open-metadata"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "custom-oidc"
@ -57,9 +54,6 @@ global:
    containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
    initialAdmins:
      - "admin-user"
-    botPrincipals:
-      - "ingestion-bot"
-      - "service-account-open-metadata"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "custom-oidc"
--- a/openmetadata-docs/content/deployment/security/okta/bare-metal.md
+++ b/openmetadata-docs/content/deployment/security/okta/bare-metal.md
@ -22,7 +22,6 @@ authenticationConfiguration:
 Then, 
 - Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below.
 - Update the `principalDomain` to your company domain name.
- update the `botPrincipals`, add the Ingestion Client ID for the Service application. This can be found in Okta -> Applications -> Applications, Refer to Step 3 for `Creating Service Application`.

 ```yaml
 authorizerConfiguration:
@ -32,9 +31,6 @@ authorizerConfiguration:
  adminPrincipals:
    - "user1"
    - "user2"
-  botPrincipals:
-    - "ingestion-bot"
-    - "<service_application_client_id>"
  principalDomain: "open-metadata.org"
 ```

--- a/openmetadata-docs/content/deployment/security/okta/kubernetes.md
+++ b/openmetadata-docs/content/deployment/security/okta/kubernetes.md
@ -10,7 +10,6 @@ Check the Helm information [here](https://artifacthub.io/packages/search?repo=op
 Once the `Client Id` and `Client Secret` are generated, see the snippet below for an example of where to
 place the client id value and update the authorizer configurations in the `values.yaml`.

-Note: Make sure to add the Ingestion Client ID for the Service application in `botPrincipals`. 
 This can be found in Okta -> Applications -> Applications, Refer to Step 3 for `Creating Service Application`.

 ### Before 0.12.1
@ -23,9 +22,6 @@ global:
    initialAdmins:
      - "user1"
      - "user2"
-    botPrincipals:
-      - ingestion-bot
-      - "<service_application_client_id>"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "okta"
--- a/openmetadata-docs/content/deployment/security/one-login/bare-metal.md
+++ b/openmetadata-docs/content/deployment/security/one-login/bare-metal.md
@ -36,8 +36,6 @@ authorizerConfiguration:
  adminPrincipals:
    - "user1"
    - "user2"
-  botPrincipals:
-    - "ingestion-bot"
  principalDomain: "open-metadata.org"
 ```

--- a/openmetadata-docs/content/deployment/security/one-login/kubernetes.md
+++ b/openmetadata-docs/content/deployment/security/one-login/kubernetes.md
@ -20,8 +20,6 @@ global:
    containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
    initialAdmins: 
    - "suresh"
-    botPrincipals: 
-    - "ingestion-bot"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "custom-oidc"
@ -50,8 +48,6 @@ global:
    containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
    initialAdmins: 
    - "suresh"
-    botPrincipals: 
-    - "ingestion-bot"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "custom-oidc"
--- a/openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplication.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplication.java
@ -40,6 +40,7 @@ import java.lang.reflect.InvocationTargetException;
 import java.time.temporal.ChronoUnit;
 import java.util.EnumSet;
 import java.util.Optional;
+import javax.naming.ConfigurationException;
 import javax.servlet.DispatcherType;
 import javax.servlet.FilterRegistration;
 import javax.servlet.ServletException;
@ -94,7 +95,9 @@ public class OpenMetadataApplication extends Application<OpenMetadataApplication
  @Override
  public void run(OpenMetadataApplicationConfig catalogConfig, Environment environment)
      throws ClassNotFoundException, IllegalAccessException, InstantiationException, NoSuchMethodException,
-          InvocationTargetException, IOException {
+          InvocationTargetException, IOException, ConfigurationException {
+    validateConfiguration(catalogConfig);
+
    // init email Util for handling
    if (catalogConfig.getSmtpSettings() != null && catalogConfig.getSmtpSettings().getEnableSmtpServer()) {
      EmailUtil.EmailUtilBuilder.build(catalogConfig.getSmtpSettings());
@ -156,7 +159,7 @@ public class OpenMetadataApplication extends Application<OpenMetadataApplication
    FilterRegistration.Dynamic micrometerFilter =
        environment.servlets().addFilter("MicrometerHttpFilter", new MicrometerHttpFilter());
    micrometerFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
-    intializeWebsockets(catalogConfig, environment);
+    initializeWebsockets(catalogConfig, environment);
  }

  private Jdbi createAndSetupJDBI(Environment environment, DataSourceFactory dbFactory) {
@ -227,6 +230,14 @@ public class OpenMetadataApplication extends Application<OpenMetadataApplication
    }
  }

+  private void validateConfiguration(OpenMetadataApplicationConfig catalogConfig) throws ConfigurationException {
+    if (catalogConfig.getAuthorizerConfiguration().getBotPrincipals() != null) {
+      throw new ConfigurationException(
+          "'botPrincipals' configuration is deprecated. Please remove it from "
+              + "'openmetadata.yaml and restart the server");
+    }
+  }
+
  private void registerAuthorizer(OpenMetadataApplicationConfig catalogConfig, Environment environment)
      throws NoSuchMethodException, ClassNotFoundException, IllegalAccessException, InvocationTargetException,
          InstantiationException {
@ -280,7 +291,7 @@ public class OpenMetadataApplication extends Application<OpenMetadataApplication
    environment.getApplicationContext().setErrorHandler(eph);
  }

-  private void intializeWebsockets(OpenMetadataApplicationConfig catalogConfig, Environment environment) {
+  private void initializeWebsockets(OpenMetadataApplicationConfig catalogConfig, Environment environment) {
    SocketAddressFilter socketAddressFilter;
    String pathSpec = "/api/v1/push/feed/*";
    if (catalogConfig.getAuthorizerConfiguration() != null) {
--- a/openmetadata-service/src/test/java/org/openmetadata/service/resources/config/ConfigResourceTest.java
+++ b/openmetadata-service/src/test/java/org/openmetadata/service/resources/config/ConfigResourceTest.java
@ -73,7 +73,6 @@ class ConfigResourceTest extends OpenMetadataApplicationTest {
    assertEquals(config.getAuthorizerConfiguration().getClassName(), auth.getClassName());
    assertEquals(config.getAuthorizerConfiguration().getPrincipalDomain(), auth.getPrincipalDomain());
    assertEquals(config.getAuthorizerConfiguration().getAdminPrincipals(), auth.getAdminPrincipals());
-    assertEquals(config.getAuthorizerConfiguration().getBotPrincipals(), auth.getBotPrincipals());
    assertEquals(config.getAuthorizerConfiguration().getContainerRequestFilter(), auth.getContainerRequestFilter());
    assertEquals(
        config.getAuthorizerConfiguration().getEnableSecureSocketConnection(), auth.getEnableSecureSocketConnection());
--- a/openmetadata-service/src/test/resources/openmetadata-secure-test.yaml
+++ b/openmetadata-service/src/test/resources/openmetadata-secure-test.yaml
@ -132,8 +132,6 @@ authorizerConfiguration:
  containerRequestFilter: "org.openmetadata.service.security.CatalogOpenIdAuthorizationRequestFilter"
  adminPrincipals:
    - "admin"
-  botPrincipals:
-    - "ingestion-bot"
  # Added only for test purposes and not for production setup
  testPrincipals:
    - "test"
--- a/openmetadata-spec/src/main/resources/json/schema/configuration/authorizerConfiguration.json
+++ b/openmetadata-spec/src/main/resources/json/schema/configuration/authorizerConfiguration.json
@ -23,12 +23,13 @@
      "uniqueItems": true
    },
    "botPrincipals": {
-      "description": "List of unique bot principals",
+      "description": "**@Deprecated** List of unique bot principals",
      "type": "array",
      "items": {
        "type": "string"
      },
-      "uniqueItems": true
+      "uniqueItems": true,
+      "default": null
    },
    "testPrincipals": {
      "description": "List of unique principals used as test users. **NOTE THIS IS ONLY FOR TEST SETUP AND NOT TO BE USED IN PRODUCTION SETUP**",
@ -59,6 +60,6 @@
      "type": "boolean"
    }
  },
-  "required": ["className", "containerRequestFilter", "adminPrincipals", "botPrincipals", "principalDomain", "enforcePrincipalDomain", "enableSecureSocketConnection"],
+  "required": ["className", "containerRequestFilter", "adminPrincipals", "principalDomain", "enforcePrincipalDomain", "enableSecureSocketConnection"],
  "additionalProperties": false
 }
--- a/openmetadata-ui/src/main/resources/ui/mock-api/v1/config/authorizer/GET.json
+++ b/openmetadata-ui/src/main/resources/ui/mock-api/v1/config/authorizer/GET.json
@ -4,8 +4,5 @@
  "adminPrincipals": [
    "admin"
  ],
-  "botPrincipals": [
-    "ingestion-bot"
-  ],
  "principalDomain": ""
 }