Add Allowed Domains (#20329)

2025-08-20 06:58:18 +00:00 · 2025-03-19 12:04:28 +05:30 · 2025-03-19 12:04:28 +05:30 · 9c59d6f74a
commit 9c59d6f74a
parent 350c2ae853
6 changed files with 39 additions and 4 deletions
--- a/conf/openmetadata.yaml
+++ b/conf/openmetadata.yaml
@ -177,6 +177,7 @@ authorizerConfiguration:
  adminPrincipals: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]}
  allowedEmailRegistrationDomains: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]}
  principalDomain: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"open-metadata.org"}
+  allowedDomains: ${AUTHORIZER_ALLOWED_DOMAINS:-[]}
  enforcePrincipalDomain: ${AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN:-false}
  enableSecureSocketConnection : ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false}
  useRolesFromProvider: ${AUTHORIZER_USE_ROLES_FROM_PROVIDER:-false}
--- a/openmetadata-service/src/main/java/org/openmetadata/service/security/AuthenticationException.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/AuthenticationException.java
@ -58,6 +58,12 @@ public class AuthenticationException extends RuntimeException {
    return new AuthenticationException(msg);
  }

+  public static AuthenticationException invalidEmailMessage(String principalDomain) {
+    return new AuthenticationException(
+        String.format(
+            "Not Authorized! Email does not match the principal domain %s", principalDomain));
+  }
+
  private static ErrorResponse convertToErrorResponseMessage(String msg) {
    return new ErrorResponse(msg);
  }
--- a/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java
@ -69,6 +69,7 @@ public class JwtFilter implements ContainerRequestFilter {
  @Getter private Map<String, String> jwtPrincipalClaimsMapping;
  private JwkProvider jwkProvider;
  private String principalDomain;
+  private Set<String> allowedDomains;
  private boolean enforcePrincipalDomain;
  private AuthProvider providerType;
  private boolean useRolesFromProvider = false;
@ -123,6 +124,7 @@ public class JwtFilter implements ContainerRequestFilter {

    this.jwkProvider = new MultiUrlJwkProvider(publicKeyUrlsBuilder.build());
    this.principalDomain = authorizerConfiguration.getPrincipalDomain();
+    this.allowedDomains = authorizerConfiguration.getAllowedDomains();
    this.enforcePrincipalDomain = authorizerConfiguration.getEnforcePrincipalDomain();
    this.useRolesFromProvider = authorizerConfiguration.getUseRolesFromProvider();
    this.tokenValidationAlgorithm = authenticationConfiguration.getTokenValidationAlgorithm();
@ -185,6 +187,7 @@ public class JwtFilter implements ContainerRequestFilter {
        jwtPrincipalClaims,
        claims,
        principalDomain,
+        allowedDomains,
        enforcePrincipalDomain);

    // Validate Bot token matches what was created in OM
--- a/openmetadata-service/src/main/java/org/openmetadata/service/security/SecurityUtil.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/SecurityUtil.java
@ -25,6 +25,7 @@ import java.io.IOException;
 import java.security.Principal;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.client.Invocation;
 import javax.ws.rs.client.WebTarget;
@ -188,6 +189,7 @@ public final class SecurityUtil {
      List<String> jwtPrincipalClaimsOrder,
      Map<String, Claim> claims,
      String principalDomain,
+      Set<String> allowedDomains,
      boolean enforcePrincipalDomain) {
    String domain = StringUtils.EMPTY;
    if (!nullOrEmpty(jwtPrincipalClaimsMapping)) {
@ -209,10 +211,21 @@ public final class SecurityUtil {
    }

    // Validate
-    if (!isBot(claims) && (enforcePrincipalDomain && !domain.equals(principalDomain))) {
-      throw new AuthenticationException(
-          String.format(
-              "Not Authorized! Email does not match the principal domain %s", principalDomain));
+    if (isBot(claims)) {
+      // Bots don't need to be validated
+      return;
+    }
+    if (enforcePrincipalDomain) {
+      if (allowedDomains == null || allowedDomains.isEmpty()) {
+        // Validate against the principal domain if allowed domains are not supplied
+        if (!domain.equals(principalDomain)) {
+          throw AuthenticationException.invalidEmailMessage(principalDomain);
+        }
+      }
+      // Validate against allowed domains if supplied
+      else if (!allowedDomains.contains(domain)) {
+        throw AuthenticationException.invalidEmailMessage(domain);
+      }
    }
  }

--- a/openmetadata-spec/src/main/resources/json/schema/configuration/authorizerConfiguration.json
+++ b/openmetadata-spec/src/main/resources/json/schema/configuration/authorizerConfiguration.json
@ -51,6 +51,14 @@
      "description": "Principal Domain",
      "type": "string"
    },
+    "allowedDomains": {
+      "description": "Allowed Domains to access",
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "uniqueItems": true
+    },
    "enforcePrincipalDomain": {
      "description": "Enable Enforce Principal Domain",
      "type": "boolean"
--- a/openmetadata-ui/src/main/resources/ui/src/generated/configuration/authorizerConfiguration.ts
+++ b/openmetadata-ui/src/main/resources/ui/src/generated/configuration/authorizerConfiguration.ts
@ -18,6 +18,10 @@ export interface AuthorizerConfiguration {
     * List of unique admin principals.
     */
    adminPrincipals: string[];
+    /**
+     * Allowed Domains to access
+     */
+    allowedDomains?: string[];
    /**
     * List of unique email domains that are allowed to signup on the platforms
     */