diff --git a/openmetadata-docs/content/deployment/security/azure/bare-metal.md b/openmetadata-docs/content/deployment/security/azure/bare-metal.md index 5f9ff2f6da1..595dbc40f59 100644 --- a/openmetadata-docs/content/deployment/security/azure/bare-metal.md +++ b/openmetadata-docs/content/deployment/security/azure/bare-metal.md @@ -5,9 +5,11 @@ slug: /deployment/security/azure/bare-metal # Azure SSO for Bare Metal -## Update conf/openmetadata.yaml +Get the `Client Id` and `Tenant ID` from Azure Application configured in [Step 3](/deployment/security/azure#step-3-where-to-find-the-credentials). -Once the `Client Id` and `Client Secret` are generated add the `Client Id` in `openmetadata.yaml` file in `client_id` field. +Get the Azure Service Application `Client Id`, `Client Secret`, `Authority`, `Scopes` from the information collected in [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority). + +## Update conf/openmetadata.yaml ```yaml authenticationConfiguration: @@ -15,7 +17,7 @@ authenticationConfiguration: publicKeyUrls: - "https://login.microsoftonline.com/common/discovery/keys" authority: "https://login.microsoftonline.com/{Tenant ID}" - clientId: "{Client ID}" + clientId: "{Client ID}" # Azure Application callbackUrl: "http://localhost:8585/callback" ``` @@ -42,6 +44,8 @@ Finally, update the Airflow information: **Before 0.12.1** +Once the `Client Id` and `Client Secret` are generated for Azure SSO Service Application, add in `openmetadata.yaml` file for the information collected in [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority). + ```yaml airflowConfiguration: apiEndpoint: ${AIRFLOW_HOST:-http://localhost:8080} @@ -54,7 +58,7 @@ airflowConfiguration: clientSecret: ${OM_AUTH_AIRFLOW_AZURE_CLIENT_SECRET:-""} authority: ${OM_AUTH_AIRFLOW_AZURE_AUTHORITY_URL:-""} scopes: ${OM_AUTH_AIRFLOW_AZURE_SCOPES:-[]} - clientId: ${OM_AUTH_AIRFLOW_AZURE_CLIENT_ID:-""} + clientId: ${OM_AUTH_AIRFLOW_AZURE_CLIENT_ID:-""} # Azure Service Application ``` **After 0.12.1** @@ -67,5 +71,8 @@ airflowConfiguration: metadataApiEndpoint: ${SERVER_HOST_API_URL:-http://localhost:8585/api} ``` -**Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for -ingesting data from Airflow. + + +Follow [this](/deployment/security/azure#step-10-update-ingestion-bot-with-azure-sso-service-application) guide to configure the `ingestion-bot` credentials for ingesting data from Airflow. + + \ No newline at end of file diff --git a/openmetadata-docs/content/deployment/security/azure/docker.md b/openmetadata-docs/content/deployment/security/azure/docker.md index 6079ae0335d..67945f2e950 100644 --- a/openmetadata-docs/content/deployment/security/azure/docker.md +++ b/openmetadata-docs/content/deployment/security/azure/docker.md @@ -9,23 +9,33 @@ To enable security for the Docker deployment, follow the next steps: ## 1. Create an .env file +Get the `Client Id` and `Tenant ID` from Azure Application configured in [Step 3](/deployment/security/azure#step-3-where-to-find-the-credentials). + +Get the Azure Service Application `Client Id`, `Client Secret`, `Authority`, `Scopes` from the information collected in [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority). + Create an `openmetadata_azure.env` file and add the following contents as an example. Use the information generated when setting up the account. ### 1.1 Before 0.12.1 + + +The Object Id will be `` fetched from [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority). + + + ```shell # OpenMetadata Server Authentication Configuration -AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer -AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter +AUTHORIZER_CLASS_NAME=org.openmetadata.catalog.security.DefaultAuthorizer +AUTHORIZER_REQUEST_FILTER=org.openmetadata.catalog.security.JwtFilter AUTHORIZER_ADMIN_PRINCIPALS=[admin] # Your `name` from name@domain.com -AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot] +AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot, {object-id-for-azure-service-application-enterprise-application}] AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain AUTHENTICATION_PROVIDER=azure AUTHENTICATION_PUBLIC_KEYS=[https://login.microsoftonline.com/common/discovery/keys] AUTHENTICATION_AUTHORITY=https://login.microsoftonline.com/{Tenant ID} # Update with your Tenant ID -AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID +AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Application AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback # Airflow Configuration @@ -33,7 +43,7 @@ AIRFLOW_AUTH_PROVIDER=azure OM_AUTH_AIRFLOW_AZURE_CLIENT_SECRET={Client Secret} # Update with your Client Secret OM_AUTH_AIRFLOW_AZURE_AUTHORITY_URL=https://login.microsoftonline.com/{Tenant ID} # Update with your Tenant ID OM_AUTH_AIRFLOW_AZURE_SCOPES=[{scopes}] # Update with your Scopes -OM_AUTH_AIRFLOW_AZURE_CLIENT_ID={Client Id} # Update with your Client ID +OM_AUTH_AIRFLOW_AZURE_CLIENT_ID={Client Id} # Update with your Client ID of Azure Service Application ``` ### 1.2 After 0.12.1 @@ -49,12 +59,15 @@ AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain AUTHENTICATION_PROVIDER=azure AUTHENTICATION_PUBLIC_KEYS=[https://login.microsoftonline.com/common/discovery/keys] AUTHENTICATION_AUTHORITY=https://login.microsoftonline.com/{Tenant ID} # Update with your Tenant ID -AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID +AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Application AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback ``` -**Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for -ingesting data from Airflow. + + +Follow [this](/deployment/security/azure#step-10-update-ingestion-bot-with-azure-sso-service-application) guide to configure the `ingestion-bot` credentials for ingesting data from Airflow. + + ## 2. Start Docker diff --git a/openmetadata-docs/content/deployment/security/azure/index.md b/openmetadata-docs/content/deployment/security/azure/index.md index 214436dff22..ed86f0e479e 100644 --- a/openmetadata-docs/content/deployment/security/azure/index.md +++ b/openmetadata-docs/content/deployment/security/azure/index.md @@ -82,9 +82,9 @@ Admin permissions are required to register the application on the Azure portal. ### Step 4: Register Another Azure Application Another Azure Application must be registered for Service ingestion. -- + - Provide an application name. -- Create a `public client redirect URI`. +- `public client redirect URI` will be blank. - Click on Register. add-app @@ -145,16 +145,18 @@ the application access scope. - The `secret_key` is required for ingestion. -### Step 9: Note down the clientId and Authority +### Step 9: Note down the information for OpenMetadata configurations -- `clientID`: The Application (Client) ID is displayed in the Overview section of the registered application. +- `clientID`: The Application (Client) ID is displayed in the Overview section of the registered applications (Azure Application for UI and Azure Service Application if any). - `authority`: When passing the details for authority, the Tenant ID is added to the URL as shown below. `https://login.microsoftonline.com/TenantID` - `clientSecret`: The clientSecret can be accessed from the Certificates & secret section of the application. +- `scopes`: The scopes for running the ingestion to get token using Client Credentials Flow. This will be in the format of `/.default` (Application Id URI will be available from [Step 7](/deployment/security/azure#step-7-set-the-app-id-uri)) +- `object-id`: You can fetch the `object id` of Azure Application created for OpenMetadata Service Application as provided in the below image. This is required for setting the OpenMetadata with YAML configurations as well as Updating Ingestion-Bot from UI. You can find `object id` in Azure `Active Directory >> Enterprise Applications`. -This information is required to configure Airflow. +object-id -client-id-authority +This information is required to configure ingestion-bot from OpenMetadata UI from 0.12.1 Release. After the applying these steps, you can update the configuration of your deployment: @@ -185,7 +187,23 @@ After the applying these steps, you can update the configuration of your deploym -## Configure Ingestion +### Step 10: Update Ingestion Bot with Azure SSO Service Application + +Starting from 0.12.1, Navigate to `Settings >> Bots >> ingestion-bot` and click on edit. + + + +Update the Auth Mechanism as Azure SSO and update `Email`, `ClientSecret`, `ClientId`, `Authority`, and `Scopes` as mentioned in [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority). + +The `Email` will be in the format of `@`. + +Next, Click on Save. + + + +This will enable all the Service Connector Ingestions created from UI to securely use Azure SSO Service Applications for connecting with OpenMetadata APIs. + +## Configure Ingestion from CLI After everything has been set up, you will need to configure your workflows if you are running them via the `metadata` CLI or with any custom scheduler. @@ -202,8 +220,6 @@ workflowConfig: authority: '{your_authority_url}' clientId: '{your_client_id}' scopes: - - your_scopes + - /.default ``` - - diff --git a/openmetadata-docs/content/deployment/security/azure/kubernetes.md b/openmetadata-docs/content/deployment/security/azure/kubernetes.md index 1477d614b90..4379cbbdccd 100644 --- a/openmetadata-docs/content/deployment/security/azure/kubernetes.md +++ b/openmetadata-docs/content/deployment/security/azure/kubernetes.md @@ -7,28 +7,38 @@ slug: /deployment/security/azure/kubernetes Check the Helm information [here](https://artifacthub.io/packages/search?repo=open-metadata). -Once the `Client Id` and `Client Secret` are generated, see the snippet below for an example of where to -place the client id value and update the authorizer configurations in the `values.yaml`. +Get the `Client Id` and `Tenant ID` from Azure Application configured in [Step 3](/deployment/security/azure#step-3-where-to-find-the-credentials). + +Get the Azure Service Application `Client Id`, `Client Secret`, `Authority`, `Scopes` from the information collected in [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority). + +See the snippet below for an example of where to place the values and update the authorizer configurations in the `values.yaml`. + ### Before 0.12.1 + + +The Object Id will be `` fetched from [Step 9](/deployment/security/azure#step-9-note-down-the-clientid-and-authority). + + + ```yaml global: authorizer: - className: "org.openmetadata.service.security.DefaultAuthorizer" - containerRequestFilter: "org.openmetadata.service.security.JwtFilter" + className: "org.openmetadata.catalog.security.DefaultAuthorizer" + containerRequestFilter: "org.openmetadata.catalog.security.JwtFilter" initialAdmins: - "user1" - "user2" botPrincipals: - - "" + - "" principalDomain: "open-metadata.org" authentication: provider: "azure" publicKeys: - "https://login.microsoftonline.com/common/discovery/keys" authority: "https://login.microsoftonline.com/{Tenant ID}" - clientId: "{Client ID}" + clientId: "{Client ID}" # Azure Application callbackUrl: "http://localhost:8585/callback" airflow: openmetadata: @@ -37,9 +47,9 @@ global: clientSecret: secretRef: azure-client-secret secretKey: azure-client-secret - authority: "" + authority: "https://login.microsoftonline.com/{Tenant ID}" scopes: [ ] - clientId: "" + clientId: "{Client ID}" # Azure Service Application ``` ### After 0.12.1 @@ -53,16 +63,19 @@ global: - "user1" - "user2" botPrincipals: - - "" + - "ingestion-bot" principalDomain: "open-metadata.org" authentication: provider: "azure" publicKeys: - "https://login.microsoftonline.com/common/discovery/keys" authority: "https://login.microsoftonline.com/{Tenant ID}" - clientId: "{Client ID}" + clientId: "{Client ID}" # Azure Application callbackUrl: "http://localhost:8585/callback" ``` -**Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for -ingesting data from Airflow. \ No newline at end of file + + +Follow [this](/deployment/security/azure#step-10-update-ingestion-bot-with-azure-sso-service-application) guide to configure the `ingestion-bot` credentials for ingesting data from Airflow. + + \ No newline at end of file diff --git a/openmetadata-docs/images/deployment/security/azure/azure-service-application-object-id.png b/openmetadata-docs/images/deployment/security/azure/azure-service-application-object-id.png new file mode 100644 index 00000000000..34f688029d8 Binary files /dev/null and b/openmetadata-docs/images/deployment/security/azure/azure-service-application-object-id.png differ diff --git a/openmetadata-docs/images/deployment/security/azure/ingestion-bot-updated-values.png b/openmetadata-docs/images/deployment/security/azure/ingestion-bot-updated-values.png new file mode 100644 index 00000000000..6a69782741a Binary files /dev/null and b/openmetadata-docs/images/deployment/security/azure/ingestion-bot-updated-values.png differ diff --git a/openmetadata-docs/images/deployment/security/azure/update-ingestion-bot-service-application.png b/openmetadata-docs/images/deployment/security/azure/update-ingestion-bot-service-application.png new file mode 100644 index 00000000000..80c5c9f1035 Binary files /dev/null and b/openmetadata-docs/images/deployment/security/azure/update-ingestion-bot-service-application.png differ