yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-12-24 05:58:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Docs: LDAP Authentication Setup for Kubernetes (#19093)

Browse Source
This commit is contained in:
RounakDhillon 2025-01-08 10:06:21 +05:30 committed by GitHub
parent 5ccc0c5a2a
commit 1495e4aba7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 444 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
openmetadata-docs/content/v1.5.x/deployment/security/ldap/kubernetes.md Normal file
View File

@ -0,0 +1,146 @@
---
title: Ldap Authentication for Kubernetes
slug: /deployment/security/ldap/kubernetes
collate: false
---
# LDAP Authentication for Kubernetes
This guide outlines how to configure LDAP authentication for Kubernetes deployments of OpenMetadata. It includes details on required configurations, optional settings, and best practices to ensure secure and efficient authentication.
## Authentication Configuration
```yaml
Update the `openmetadata.yaml` file with the following settings to enable LDAP authentication:
openmetadata:
config:
authorizer:
initialAdmins: ["admin"] # Add admin users here
principalDomain: "example.com" # Organization domain for principal matching
authentication:
provider: ldap
publicKeys:
- "https://<your-domain>/api/v1/system/config/jwks" # Replace with your domain
authority: "https://<your-domain>" # Replace with your domain
enableSelfSignup: false
ldapConfiguration:
host: "ldap.example.com" # Replace with your LDAP server hostname
port: 636 # Use 636 for secure LDAP (LDAPS) or 389 for standard LDAP
dnAdminPrincipal: "cn=admin,dc=example,dc=com"
dnAdminPassword:
secretRef: ldap-admin-secret
secretKey: openmetadata-ldap-secret
userBaseDN: "ou=users,dc=example,dc=com" # Base DN for LDAP users
mailAttributeName: "email" # Attribute for email in the LDAP schema
sslEnabled: true # Enable SSL for secure LDAP
truststoreConfigType: "TrustAll" # Trust store type (options: TrustAll, JVMDefault, HostName, CustomTrustStore)
trustStoreConfig:
trustAllConfig:
examineValidityDates: true # Reject certificates outside the validity window
jwtTokenConfiguration:
enabled: true # Enable JWT tokens for secure communication
# File Path on Airflow Container
rsapublicKeyFilePath: "./conf/public_key.der"
# File Path on Airflow Container
rsaprivateKeyFilePath: "./conf/private_key.der"
```
## Mandatory Fields for LDAP Configuration
- **provider**: Set to `ldap` for enabling LDAP authentication.
- **publicKeys**: Provide the public key URL in the format `{http|https}://{your_domain}:{port}/api/v1/system/config/jwks`.
- **authority**: Specify your domain (e.g., `your_domain`).
- **enableSelfSignup**: Set to `false` for LDAP.
## Key LDAP Fields
- **host**: Hostname of the LDAP server (e.g., `localhost`).
- **port**: Port of the LDAP server (e.g., `10636`).
- **dnAdminPrincipal**: The Distinguished Name (DN) of the admin principal (e.g., `cn=admin,dc=example,dc=com`).
- **dnAdminPassword**: Password for the admin principal.
- **userBaseDN**: Base DN for user lookups (e.g., `ou=people,dc=example,dc=com`).
## Optional Advanced Configuration
- **maxPoolSize**: Maximum connection pool size.
- **sslEnabled**: Set to `true` to enable SSL connections to the LDAP server.
- **truststoreConfigType**: Determines the type of trust store to use (`CustomTrustStore`, `HostName`, `JVMDefault`, or `TrustAll`).
## Example: TrustStore Configurations
### TrustAll Configuration
```yaml
openmetadata:
config:
...
authentication:
...
ldapConfiguration:
...
truststoreConfigType: TrustAll
trustStoreConfig:
examineValidityDates: true
...
```
### JVMDefault Configuration
```yaml
openmetadata:
config:
...
authentication:
...
ldapConfiguration:
...
truststoreConfigType: JVMDefault
trustStoreConfig:
jvmDefaultConfig:
verifyHostname: true
...
```
### HostName Configuration
```yaml
openmetadata:
config:
...
authentication:
...
ldapConfiguration:
...
truststoreConfigType: HostName
trustStoreConfig:
hostNameConfig:
allowWildCards: false
acceptableHostNames: [localhost]
...
```
### CustomTrustStore Configuration
```yaml
openmetadata:
config:
...
authentication:
...
ldapConfiguration:
...
trusttoreConfigType: CustomTrustStore
trustStoreConfig:
customTrustManagerConfig:
trustStoreFilePath: /path/to/truststore.jks
trustStoreFilePassword:
secretRef: ""
secretKey: ""
trustStoreFileFormat: JKS
verifyHostname: true
examineValidityDates: true
...
```
{% partial file="/v1.5/deployment/configure-ingestion.md" /%}

2
openmetadata-docs/content/v1.5.x/menu.md
View File

@ -75,6 +75,8 @@ site_menu:
url: /deployment/security/ldap/docker
- category: Deployment / Enable Security / Ldap Authentication / Bare Metal
url: /deployment/security/ldap/bare-metal
- category: Deployment / Enable Security / Ldap Authentication / Kubernetes
url: /deployment/security/ldap/kubernetes
- category: Deployment / Enable Security / Auth0 SSO
url: /deployment/security/auth0
- category: Deployment / Enable Security / Auth0 SSO / Docker

146
openmetadata-docs/content/v1.6.x/deployment/security/ldap/kubernetes.md Normal file
View File

@ -0,0 +1,146 @@
---
title: Ldap Authentication for Kubernetes
slug: /deployment/security/ldap/kubernetes
collate: false
---
# LDAP Authentication for Kubernetes
This guide outlines how to configure LDAP authentication for Kubernetes deployments of OpenMetadata. It includes details on required configurations, optional settings, and best practices to ensure secure and efficient authentication.
## Authentication Configuration
```yaml
Update the `openmetadata.yaml` file with the following settings to enable LDAP authentication:
openmetadata:
config:
authorizer:
initialAdmins: ["admin"] # Add admin users here
principalDomain: "example.com" # Organization domain for principal matching
authentication:
provider: ldap
publicKeys:
- "https://<your-domain>/api/v1/system/config/jwks" # Replace with your domain
authority: "https://<your-domain>" # Replace with your domain
enableSelfSignup: false
ldapConfiguration:
host: "ldap.example.com" # Replace with your LDAP server hostname
port: 636 # Use 636 for secure LDAP (LDAPS) or 389 for standard LDAP
dnAdminPrincipal: "cn=admin,dc=example,dc=com"
dnAdminPassword:
secretRef: ldap-admin-secret
secretKey: openmetadata-ldap-secret
userBaseDN: "ou=users,dc=example,dc=com" # Base DN for LDAP users
mailAttributeName: "email" # Attribute for email in the LDAP schema
sslEnabled: true # Enable SSL for secure LDAP
truststoreConfigType: "TrustAll" # Trust store type (options: TrustAll, JVMDefault, HostName, CustomTrustStore)
trustStoreConfig:
trustAllConfig:
examineValidityDates: true # Reject certificates outside the validity window
jwtTokenConfiguration:
enabled: true # Enable JWT tokens for secure communication
# File Path on Airflow Container
rsapublicKeyFilePath: "./conf/public_key.der"
# File Path on Airflow Container
rsaprivateKeyFilePath: "./conf/private_key.der"
```
## Mandatory Fields for LDAP Configuration
- **provider**: Set to `ldap` for enabling LDAP authentication.
- **publicKeys**: Provide the public key URL in the format `{http|https}://{your_domain}:{port}/api/v1/system/config/jwks`.
- **authority**: Specify your domain (e.g., `your_domain`).
- **enableSelfSignup**: Set to `false` for LDAP.
## Key LDAP Fields
- **host**: Hostname of the LDAP server (e.g., `localhost`).
- **port**: Port of the LDAP server (e.g., `10636`).
- **dnAdminPrincipal**: The Distinguished Name (DN) of the admin principal (e.g., `cn=admin,dc=example,dc=com`).
- **dnAdminPassword**: Password for the admin principal.
- **userBaseDN**: Base DN for user lookups (e.g., `ou=people,dc=example,dc=com`).
## Optional Advanced Configuration
- **maxPoolSize**: Maximum connection pool size.
- **sslEnabled**: Set to `true` to enable SSL connections to the LDAP server.
- **truststoreConfigType**: Determines the type of trust store to use (`CustomTrustStore`, `HostName`, `JVMDefault`, or `TrustAll`).
## Example: TrustStore Configurations
### TrustAll Configuration
```yaml
openmetadata:
config:
...
authentication:
...
ldapConfiguration:
...
truststoreConfigType: TrustAll
trustStoreConfig:
examineValidityDates: true
...
```
### JVMDefault Configuration
```yaml
openmetadata:
config:
...
authentication:
...
ldapConfiguration:
...
truststoreConfigType: JVMDefault
trustStoreConfig:
jvmDefaultConfig:
verifyHostname: true
...
```
### HostName Configuration
```yaml
openmetadata:
config:
...
authentication:
...
ldapConfiguration:
...
truststoreConfigType: HostName
trustStoreConfig:
hostNameConfig:
allowWildCards: false
acceptableHostNames: [localhost]
...
```
### CustomTrustStore Configuration
```yaml
openmetadata:
config:
...
authentication:
...
ldapConfiguration:
...
trusttoreConfigType: CustomTrustStore
trustStoreConfig:
customTrustManagerConfig:
trustStoreFilePath: /path/to/truststore.jks
trustStoreFilePassword:
secretRef: ""
secretKey: ""
trustStoreFileFormat: JKS
verifyHostname: true
examineValidityDates: true
...
```
{% partial file="/v1.6/deployment/configure-ingestion.md" /%}

2
openmetadata-docs/content/v1.6.x/menu.md
View File

@ -75,6 +75,8 @@ site_menu:
url: /deployment/security/ldap/docker
- category: Deployment / Enable Security / Ldap Authentication / Bare Metal
url: /deployment/security/ldap/bare-metal
- category: Deployment / Enable Security / Ldap Authentication / Kubernetes
url: /deployment/security/ldap/kubernetes
- category: Deployment / Enable Security / Auth0 SSO
url: /deployment/security/auth0
- category: Deployment / Enable Security / Auth0 SSO / Docker

146
openmetadata-docs/content/v1.7.x-SNAPSHOT/deployment/security/ldap/kubernetes.md Normal file
View File

@ -0,0 +1,146 @@
---
title: Ldap Authentication for Kubernetes
slug: /deployment/security/ldap/kubernetes
collate: false
---
# LDAP Authentication for Kubernetes
This guide outlines how to configure LDAP authentication for Kubernetes deployments of OpenMetadata. It includes details on required configurations, optional settings, and best practices to ensure secure and efficient authentication.
## Authentication Configuration
```yaml
Update the `openmetadata.yaml` file with the following settings to enable LDAP authentication:
openmetadata:
config:
authorizer:
initialAdmins: ["admin"] # Add admin users here
principalDomain: "example.com" # Organization domain for principal matching
authentication:
provider: ldap
publicKeys:
- "https://<your-domain>/api/v1/system/config/jwks" # Replace with your domain
authority: "https://<your-domain>" # Replace with your domain
enableSelfSignup: false
ldapConfiguration:
host: "ldap.example.com" # Replace with your LDAP server hostname
port: 636 # Use 636 for secure LDAP (LDAPS) or 389 for standard LDAP
dnAdminPrincipal: "cn=admin,dc=example,dc=com"
dnAdminPassword:
secretRef: ldap-admin-secret
secretKey: openmetadata-ldap-secret
userBaseDN: "ou=users,dc=example,dc=com" # Base DN for LDAP users
mailAttributeName: "email" # Attribute for email in the LDAP schema
sslEnabled: true # Enable SSL for secure LDAP
truststoreConfigType: "TrustAll" # Trust store type (options: TrustAll, JVMDefault, HostName, CustomTrustStore)
trustStoreConfig:
trustAllConfig:
examineValidityDates: true # Reject certificates outside the validity window
jwtTokenConfiguration:
enabled: true # Enable JWT tokens for secure communication
# File Path on Airflow Container
rsapublicKeyFilePath: "./conf/public_key.der"
# File Path on Airflow Container
rsaprivateKeyFilePath: "./conf/private_key.der"
```
## Mandatory Fields for LDAP Configuration
- **provider**: Set to `ldap` for enabling LDAP authentication.
- **publicKeys**: Provide the public key URL in the format `{http|https}://{your_domain}:{port}/api/v1/system/config/jwks`.
- **authority**: Specify your domain (e.g., `your_domain`).
- **enableSelfSignup**: Set to `false` for LDAP.
## Key LDAP Fields
- **host**: Hostname of the LDAP server (e.g., `localhost`).
- **port**: Port of the LDAP server (e.g., `10636`).
- **dnAdminPrincipal**: The Distinguished Name (DN) of the admin principal (e.g., `cn=admin,dc=example,dc=com`).
- **dnAdminPassword**: Password for the admin principal.
- **userBaseDN**: Base DN for user lookups (e.g., `ou=people,dc=example,dc=com`).
## Optional Advanced Configuration
- **maxPoolSize**: Maximum connection pool size.
- **sslEnabled**: Set to `true` to enable SSL connections to the LDAP server.
- **truststoreConfigType**: Determines the type of trust store to use (`CustomTrustStore`, `HostName`, `JVMDefault`, or `TrustAll`).
## Example: TrustStore Configurations
### TrustAll Configuration
```yaml
openmetadata:
config:
...
authentication:
...
ldapConfiguration:
...
truststoreConfigType: TrustAll
trustStoreConfig:
examineValidityDates: true
...
```
### JVMDefault Configuration
```yaml
openmetadata:
config:
...
authentication:
...
ldapConfiguration:
...
truststoreConfigType: JVMDefault
trustStoreConfig:
jvmDefaultConfig:
verifyHostname: true
...
```
### HostName Configuration
```yaml
openmetadata:
config:
...
authentication:
...
ldapConfiguration:
...
truststoreConfigType: HostName
trustStoreConfig:
hostNameConfig:
allowWildCards: false
acceptableHostNames: [localhost]
...
```
### CustomTrustStore Configuration
```yaml
openmetadata:
config:
...
authentication:
...
ldapConfiguration:
...
trusttoreConfigType: CustomTrustStore
trustStoreConfig:
customTrustManagerConfig:
trustStoreFilePath: /path/to/truststore.jks
trustStoreFilePassword:
secretRef: ""
secretKey: ""
trustStoreFileFormat: JKS
verifyHostname: true
examineValidityDates: true
...
```
{% partial file="/v1.7/deployment/configure-ingestion.md" /%}

2
openmetadata-docs/content/v1.7.x-SNAPSHOT/menu.md
View File

@ -75,6 +75,8 @@ site_menu:
url: /deployment/security/ldap/docker
- category: Deployment / Enable Security / Ldap Authentication / Bare Metal
url: /deployment/security/ldap/bare-metal
- category: Deployment / Enable Security / Ldap Authentication / Kubernetes
url: /deployment/security/ldap/kubernetes
- category: Deployment / Enable Security / Auth0 SSO
url: /deployment/security/auth0
- category: Deployment / Enable Security / Auth0 SSO / Docker