From a43835df32b835647bdb63f0e3ccde0edae591a1 Mon Sep 17 00:00:00 2001 From: Chirag Madlani <12962843+chirag-madlani@users.noreply.github.com> Date: Thu, 9 Jan 2025 15:34:07 +0530 Subject: [PATCH] Revert "fixes #18820: updated docker compose files (#18821)" (#19297) This reverts commit 69dd8b99f991da78344eeb35b31cdee9a6ca8521. --- .../development/docker-compose-postgres.yml | 398 ++++++++++++----- docker/development/docker-compose.yml | 405 +++++++++++++----- .../docker-compose-postgres.yml | 346 +++++++++++---- .../docker-compose.yml | 363 ++++++++++++---- 4 files changed, 1129 insertions(+), 383 deletions(-) diff --git a/docker/development/docker-compose-postgres.yml b/docker/development/docker-compose-postgres.yml index e127d348c16..b3730292518 100644 --- a/docker/development/docker-compose-postgres.yml +++ b/docker/development/docker-compose-postgres.yml @@ -9,13 +9,78 @@ # See the License for the specific language governing permissions and # limitations under the License. +version: "3.9" +volumes: + ingestion-volume-dag-airflow: + ingestion-volume-dags: + ingestion-volume-tmp: + es-data: +services: + postgresql: + build: + context: ../../. + dockerfile: docker/postgresql/Dockerfile_postgres + container_name: openmetadata_postgresql + restart: always + command: "--work_mem=10MB" + depends_on: + - opensearch + environment: + POSTGRES_USER: postgres + POSTGRES_PASSWORD: password + expose: + - 5432 + ports: + - "5432:5432" + volumes: + - ./docker-volume/db-data-postgres:/var/lib/postgresql/data + networks: + - local_app_net + healthcheck: + test: psql -U postgres -tAc 'select 1' -d openmetadata_db + interval: 15s + timeout: 10s + retries: 10 -x-environment: &common-env + opensearch: + image: opensearchproject/opensearch:latest + container_name: openmetadata_opensearch + environment: + - discovery.type=single-node + - ES_JAVA_OPTS=-Xms1024m -Xmx1024m + - plugins.security.disabled=true + - OPENSEARCH_INITIAL_ADMIN_PASSWORD=OpenMetadata_password123!!! + networks: + - local_app_net + expose: + - 9200 + - 9300 + ports: + - "9200:9200" + - "9300:9300" + healthcheck: + test: "curl -s http://localhost:9200/_cluster/health?pretty | grep status | grep -qE 'green|yellow' || exit 1" + interval: 15s + timeout: 10s + retries: 10 + volumes: + - es-data:/usr/share/opensearch/data + + execute-migrate-all: + build: + context: ../../. + dockerfile: docker/development/Dockerfile + container_name: execute_migrate_all + command: "./bootstrap/openmetadata-ops.sh -d migrate --force" + environment: OPENMETADATA_CLUSTER_NAME: ${OPENMETADATA_CLUSTER_NAME:-openmetadata} SERVER_PORT: ${SERVER_PORT:-8585} SERVER_ADMIN_PORT: ${SERVER_ADMIN_PORT:-8586} LOG_LEVEL: ${LOG_LEVEL:-INFO} + # Migration + MIGRATION_LIMIT_PARAM: ${MIGRATION_LIMIT_PARAM:-1200} + # OpenMetadata Server Authentication Configuration AUTHORIZER_CLASS_NAME: ${AUTHORIZER_CLASS_NAME:-org.openmetadata.service.security.DefaultAuthorizer} AUTHORIZER_REQUEST_FILTER: ${AUTHORIZER_REQUEST_FILTER:-org.openmetadata.service.security.JwtFilter} @@ -108,18 +173,235 @@ x-environment: &common-env DB_DRIVER_CLASS: ${DB_DRIVER_CLASS:-org.postgresql.Driver} DB_SCHEME: ${DB_SCHEME:-postgresql} DB_PARAMS: ${DB_PARAMS:-allowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC} + DB_USE_SSL: ${DB_USE_SSL:-false} DB_USER: ${DB_USER:-openmetadata_user} DB_USER_PASSWORD: ${DB_USER_PASSWORD:-openmetadata_password} DB_HOST: ${DB_HOST:-postgresql} DB_PORT: ${DB_PORT:-5432} OM_DATABASE: ${OM_DATABASE:-openmetadata_db} # ElasticSearch Configurations - ELASTICSEARCH_HOST: ${ELASTICSEARCH_HOST:- opensearch} + ELASTICSEARCH_HOST: ${ELASTICSEARCH_HOST:-opensearch} ELASTICSEARCH_PORT: ${ELASTICSEARCH_PORT:-9200} ELASTICSEARCH_SCHEME: ${ELASTICSEARCH_SCHEME:-http} ELASTICSEARCH_USER: ${ELASTICSEARCH_USER:-""} ELASTICSEARCH_PASSWORD: ${ELASTICSEARCH_PASSWORD:-""} SEARCH_TYPE: ${SEARCH_TYPE:- "opensearch"} + ELASTICSEARCH_CLUSTER_ALIAS: ${ELASTICSEARCH_CLUSTER_ALIAS:- "openmetadata"} + ELASTICSEARCH_TRUST_STORE_PATH: ${ELASTICSEARCH_TRUST_STORE_PATH:-""} + ELASTICSEARCH_TRUST_STORE_PASSWORD: ${ELASTICSEARCH_TRUST_STORE_PASSWORD:-""} + ELASTICSEARCH_CONNECTION_TIMEOUT_SECS: ${ELASTICSEARCH_CONNECTION_TIMEOUT_SECS:-5} + ELASTICSEARCH_SOCKET_TIMEOUT_SECS: ${ELASTICSEARCH_SOCKET_TIMEOUT_SECS:-60} + ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS: ${ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS:-600} + ELASTICSEARCH_BATCH_SIZE: ${ELASTICSEARCH_BATCH_SIZE:-100} + ELASTICSEARCH_PAYLOAD_BYTES_SIZE: ${ELASTICSEARCH_PAYLOAD_BYTES_SIZE:-10485760} #max payLoadSize in Bytes + ELASTICSEARCH_INDEX_MAPPING_LANG: ${ELASTICSEARCH_INDEX_MAPPING_LANG:-EN} + + #eventMonitoringConfiguration + EVENT_MONITOR: ${EVENT_MONITOR:-prometheus} + EVENT_MONITOR_BATCH_SIZE: ${EVENT_MONITOR_BATCH_SIZE:-10} + EVENT_MONITOR_PATH_PATTERN: ${EVENT_MONITOR_PATH_PATTERN:-["/api/v1/tables/*", "/api/v1/health-check"]} + EVENT_MONITOR_LATENCY: ${EVENT_MONITOR_LATENCY:-[]} + + #pipelineServiceClientConfiguration + PIPELINE_SERVICE_CLIENT_CLASS_NAME: ${PIPELINE_SERVICE_CLIENT_CLASS_NAME:-"org.openmetadata.service.clients.pipeline.airflow.AirflowRESTClient"} + PIPELINE_SERVICE_IP_INFO_ENABLED: ${PIPELINE_SERVICE_IP_INFO_ENABLED:-false} + PIPELINE_SERVICE_CLIENT_HOST_IP: ${PIPELINE_SERVICE_CLIENT_HOST_IP:-""} + PIPELINE_SERVICE_CLIENT_SECRETS_MANAGER_LOADER: ${PIPELINE_SERVICE_CLIENT_SECRETS_MANAGER_LOADER:-"noop"} + #airflow parameters + AIRFLOW_USERNAME: ${AIRFLOW_USERNAME:-admin} + AIRFLOW_PASSWORD: ${AIRFLOW_PASSWORD:-admin} + AIRFLOW_TIMEOUT: ${AIRFLOW_TIMEOUT:-10} + AIRFLOW_TRUST_STORE_PATH: ${AIRFLOW_TRUST_STORE_PATH:-""} + AIRFLOW_TRUST_STORE_PASSWORD: ${AIRFLOW_TRUST_STORE_PASSWORD:-""} + FERNET_KEY: ${FERNET_KEY:-jJ/9sz0g0OHxsfxOoSfdFdmk3ysNmPRnH3TUAbz3IHA=} + + #secretsManagerConfiguration + SECRET_MANAGER: ${SECRET_MANAGER:-db} + # AWS: + OM_SM_REGION: ${OM_SM_REGION:-""} + OM_SM_ACCESS_KEY_ID: ${OM_SM_ACCESS_KEY_ID:-""} + OM_SM_ACCESS_KEY: ${OM_SM_ACCESS_KEY:-""} + # Azure: + OM_SM_VAULT_NAME: ${OM_SM_VAULT_NAME:-""} + OM_SM_CLIENT_ID: ${OM_SM_CLIENT_ID:-""} + OM_SM_CLIENT_SECRET: ${OM_SM_CLIENT_SECRET:-""} + OM_SM_TENANT_ID: ${OM_SM_TENANT_ID:-""} + + #email configuration: + OM_EMAIL_ENTITY: ${OM_EMAIL_ENTITY:-"OpenMetadata"} + OM_SUPPORT_URL: ${OM_SUPPORT_URL:-"https://slack.open-metadata.org"} + AUTHORIZER_ENABLE_SMTP : ${AUTHORIZER_ENABLE_SMTP:-false} + OPENMETADATA_SERVER_URL: ${OPENMETADATA_SERVER_URL:-""} + OPENMETADATA_SMTP_SENDER_MAIL: ${OPENMETADATA_SMTP_SENDER_MAIL:-""} + SMTP_SERVER_ENDPOINT: ${SMTP_SERVER_ENDPOINT:-""} + SMTP_SERVER_PORT: ${SMTP_SERVER_PORT:-""} + SMTP_SERVER_USERNAME: ${SMTP_SERVER_USERNAME:-""} + SMTP_SERVER_PWD: ${SMTP_SERVER_PWD:-""} + SMTP_SERVER_STRATEGY: ${SMTP_SERVER_STRATEGY:-"SMTP_TLS"} + + #extensionConfiguration + OM_RESOURCE_PACKAGES: ${OM_RESOURCE_PACKAGES:-[]} + OM_EXTENSIONS: ${OM_EXTENSIONS:-[]} + + # Heap OPTS Configurations + OPENMETADATA_HEAP_OPTS: ${OPENMETADATA_HEAP_OPTS:--Xmx1G -Xms1G} + # Mask passwords values in UI + MASK_PASSWORDS_API: ${MASK_PASSWORDS_API:-false} + + #OpenMetadata Web Configuration + WEB_CONF_URI_PATH: ${WEB_CONF_URI_PATH:-"/api"} + #HSTS + WEB_CONF_HSTS_ENABLED: ${WEB_CONF_HSTS_ENABLED:-false} + WEB_CONF_HSTS_MAX_AGE: ${WEB_CONF_HSTS_MAX_AGE:-"365 days"} + WEB_CONF_HSTS_INCLUDE_SUBDOMAINS: ${WEB_CONF_HSTS_INCLUDE_SUBDOMAINS:-"true"} + WEB_CONF_HSTS_PRELOAD: ${WEB_CONF_HSTS_PRELOAD:-"true"} + #Frame Options + WEB_CONF_FRAME_OPTION_ENABLED: ${WEB_CONF_FRAME_OPTION_ENABLED:-false} + WEB_CONF_FRAME_OPTION: ${WEB_CONF_FRAME_OPTION:-"SAMEORIGIN"} + WEB_CONF_FRAME_ORIGIN: ${WEB_CONF_FRAME_ORIGIN:-""} + #Content Type + WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED: ${WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED:-false} + #XSS-Protection + WEB_CONF_XSS_PROTECTION_ENABLED: ${WEB_CONF_XSS_PROTECTION_ENABLED:-false} + WEB_CONF_XSS_PROTECTION_ON: ${WEB_CONF_XSS_PROTECTION_ON:-true} + WEB_CONF_XSS_PROTECTION_BLOCK: ${WEB_CONF_XSS_PROTECTION_BLOCK:-true} + #CSP + WEB_CONF_XSS_CSP_ENABLED: ${WEB_CONF_XSS_CSP_ENABLED:-false} + WEB_CONF_XSS_CSP_POLICY: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'"} + WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY: ${WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY:-""} + #Referrer-Policy + WEB_CONF_REFERRER_POLICY_ENABLED: ${WEB_CONF_REFERRER_POLICY_ENABLED:-false} + WEB_CONF_REFERRER_POLICY_OPTION: ${WEB_CONF_REFERRER_POLICY_OPTION:-"SAME_ORIGIN"} + #Permission-Policy + WEB_CONF_PERMISSION_POLICY_ENABLED: ${WEB_CONF_PERMISSION_POLICY_ENABLED:-false} + WEB_CONF_PERMISSION_POLICY_OPTION: ${WEB_CONF_PERMISSION_POLICY_OPTION:-""} + #Cache + WEB_CONF_CACHE_CONTROL: ${WEB_CONF_CACHE_CONTROL:-""} + WEB_CONF_PRAGMA: ${WEB_CONF_PRAGMA:-""} + depends_on: + opensearch: + condition: service_healthy + postgresql: + condition: service_healthy + networks: + - local_app_net + + openmetadata-server: + build: + context: ../../. + dockerfile: docker/development/Dockerfile + container_name: openmetadata_server + environment: + OPENMETADATA_CLUSTER_NAME: ${OPENMETADATA_CLUSTER_NAME:-openmetadata} + SERVER_PORT: ${SERVER_PORT:-8585} + SERVER_ADMIN_PORT: ${SERVER_ADMIN_PORT:-8586} + LOG_LEVEL: ${LOG_LEVEL:-INFO} + # OpenMetadata Server Authentication Configuration + AUTHORIZER_CLASS_NAME: ${AUTHORIZER_CLASS_NAME:-org.openmetadata.service.security.DefaultAuthorizer} + AUTHORIZER_REQUEST_FILTER: ${AUTHORIZER_REQUEST_FILTER:-org.openmetadata.service.security.JwtFilter} + AUTHORIZER_ADMIN_PRINCIPALS: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]} + AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]} + AUTHORIZER_INGESTION_PRINCIPALS: ${AUTHORIZER_INGESTION_PRINCIPALS:-[ingestion-bot]} + AUTHORIZER_PRINCIPAL_DOMAIN: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"open-metadata.org"} + AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN: ${AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN:-false} + AUTHORIZER_ENABLE_SECURE_SOCKET: ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false} + AUTHENTICATION_PROVIDER: ${AUTHENTICATION_PROVIDER:-basic} + AUTHENTICATION_RESPONSE_TYPE: ${AUTHENTICATION_RESPONSE_TYPE:-id_token} + CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME: ${CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME:-""} + AUTHENTICATION_PUBLIC_KEYS: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]} + AUTHENTICATION_AUTHORITY: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com} + AUTHENTICATION_CLIENT_ID: ${AUTHENTICATION_CLIENT_ID:-""} + AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} + AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} + AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING:-[]} + AUTHENTICATION_ENABLE_SELF_SIGNUP : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + # For SAML Authentication + # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} + # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} + # SAML_IDP_SSO_LOGIN_URL: ${SAML_IDP_SSO_LOGIN_URL:-""} + # SAML_IDP_CERTIFICATE: ${SAML_IDP_CERTIFICATE:-""} + # SAML_AUTHORITY_URL: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"} + # SAML_IDP_NAME_ID: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"} + # SAML_SP_ENTITY_ID: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/metadata"} + # SAML_SP_ACS: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"} + # SAML_SP_CERTIFICATE: ${SAML_SP_CERTIFICATE:-""} + # SAML_SP_CALLBACK: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"} + # SAML_STRICT_MODE: ${SAML_STRICT_MODE:-false} + # SAML_SP_TOKEN_VALIDITY: ${SAML_SP_TOKEN_VALIDITY:-"3600"} + # SAML_SEND_ENCRYPTED_NAME_ID: ${SAML_SEND_ENCRYPTED_NAME_ID:-false} + # SAML_SEND_SIGNED_AUTH_REQUEST: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false} + # SAML_SIGNED_SP_METADATA: ${SAML_SIGNED_SP_METADATA:-false} + # SAML_WANT_MESSAGE_SIGNED: ${SAML_WANT_MESSAGE_SIGNED:-false} + # SAML_WANT_ASSERTION_SIGNED: ${SAML_WANT_ASSERTION_SIGNED:-false} + # SAML_WANT_ASSERTION_ENCRYPTED: ${SAML_WANT_ASSERTION_ENCRYPTED:-false} + # SAML_WANT_NAME_ID_ENCRYPTED: ${SAML_WANT_NAME_ID_ENCRYPTED:-false} + # SAML_KEYSTORE_FILE_PATH: ${SAML_KEYSTORE_FILE_PATH:-""} + # SAML_KEYSTORE_ALIAS: ${SAML_KEYSTORE_ALIAS:-""} + # SAML_KEYSTORE_PASSWORD: ${SAML_KEYSTORE_PASSWORD:-""} + # For LDAP Authentication + # AUTHENTICATION_LDAP_HOST: ${AUTHENTICATION_LDAP_HOST:-} + # AUTHENTICATION_LDAP_PORT: ${AUTHENTICATION_LDAP_PORT:-} + # AUTHENTICATION_LOOKUP_ADMIN_DN: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-""} + # AUTHENTICATION_LOOKUP_ADMIN_PWD: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-""} + # AUTHENTICATION_USER_LOOKUP_BASEDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-""} + # AUTHENTICATION_USER_MAIL_ATTR: ${AUTHENTICATION_USER_MAIL_ATTR:-} + # AUTHENTICATION_LDAP_POOL_SIZE: ${AUTHENTICATION_LDAP_POOL_SIZE:-3} + # AUTHENTICATION_LDAP_SSL_ENABLED: ${AUTHENTICATION_LDAP_SSL_ENABLED:-} + # AUTHENTICATION_LDAP_TRUSTSTORE_TYPE: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} + # AUTHENTICATION_LDAP_TRUSTSTORE_PATH: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-} + # AUTHENTICATION_LDAP_KEYSTORE_PASSWORD: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-} + # AUTHENTICATION_LDAP_SSL_KEY_FORMAT: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-} + # AUTHENTICATION_LDAP_ALLOW_WILDCARDS: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-} + # AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]} + # AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} + # AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} + + # JWT Configuration + RSA_PUBLIC_KEY_FILE_PATH: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"} + RSA_PRIVATE_KEY_FILE_PATH: ${RSA_PRIVATE_KEY_FILE_PATH:-"./conf/private_key.der"} + JWT_ISSUER: ${JWT_ISSUER:-"open-metadata.org"} + JWT_KEY_ID: ${JWT_KEY_ID:-"Gb389a-9f76-gdjs-a92j-0242bk94356"} + # OpenMetadata Server Pipeline Service Client Configuration + PIPELINE_SERVICE_CLIENT_ENDPOINT: ${PIPELINE_SERVICE_CLIENT_ENDPOINT:-http://ingestion:8080} + PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL: ${PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL:-300} + SERVER_HOST_API_URL: ${SERVER_HOST_API_URL:-http://openmetadata-server:8585/api} + PIPELINE_SERVICE_CLIENT_VERIFY_SSL: ${PIPELINE_SERVICE_CLIENT_VERIFY_SSL:-"no-ssl"} + PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH: ${PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH:-""} + # Database configuration for Postgres + DB_DRIVER_CLASS: ${DB_DRIVER_CLASS:-org.postgresql.Driver} + DB_SCHEME: ${DB_SCHEME:-postgresql} + DB_PARAMS: ${DB_PARAMS:-allowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC} + DB_USE_SSL: ${DB_USE_SSL:-false} + DB_USER: ${DB_USER:-openmetadata_user} + DB_USER_PASSWORD: ${DB_USER_PASSWORD:-openmetadata_password} + DB_HOST: ${DB_HOST:-postgresql} + DB_PORT: ${DB_PORT:-5432} + OM_DATABASE: ${OM_DATABASE:-openmetadata_db} + # ElasticSearch Configurations + ELASTICSEARCH_HOST: ${ELASTICSEARCH_HOST:-opensearch} + ELASTICSEARCH_PORT: ${ELASTICSEARCH_PORT:-9200} + ELASTICSEARCH_SCHEME: ${ELASTICSEARCH_SCHEME:-http} + ELASTICSEARCH_USER: ${ELASTICSEARCH_USER:-""} + ELASTICSEARCH_PASSWORD: ${ELASTICSEARCH_PASSWORD:-"OpenMetadata_password123!!!"} + SEARCH_TYPE: ${SEARCH_TYPE:- "opensearch"} + ELASTICSEARCH_CLUSTER_ALIAS: ${ELASTICSEARCH_CLUSTER_ALIAS:- "openmetadata"} ELASTICSEARCH_TRUST_STORE_PATH: ${ELASTICSEARCH_TRUST_STORE_PATH:-""} ELASTICSEARCH_TRUST_STORE_PASSWORD: ${ELASTICSEARCH_TRUST_STORE_PASSWORD:-""} ELASTICSEARCH_CONNECTION_TIMEOUT_SECS: ${ELASTICSEARCH_CONNECTION_TIMEOUT_SECS:-5} @@ -136,7 +418,6 @@ x-environment: &common-env EVENT_MONITOR_LATENCY: ${EVENT_MONITOR_LATENCY:-[]} #pipelineServiceClientConfiguration - PIPELINE_SERVICE_CLIENT_ENABLED: ${PIPELINE_SERVICE_CLIENT_ENABLED:-true} PIPELINE_SERVICE_CLIENT_CLASS_NAME: ${PIPELINE_SERVICE_CLIENT_CLASS_NAME:-"org.openmetadata.service.clients.pipeline.airflow.AirflowRESTClient"} PIPELINE_SERVICE_IP_INFO_ENABLED: ${PIPELINE_SERVICE_IP_INFO_ENABLED:-false} PIPELINE_SERVICE_CLIENT_HOST_IP: ${PIPELINE_SERVICE_CLIENT_HOST_IP:-""} @@ -167,107 +448,14 @@ x-environment: &common-env SMTP_SERVER_USERNAME: ${SMTP_SERVER_USERNAME:-""} SMTP_SERVER_PWD: ${SMTP_SERVER_PWD:-""} SMTP_SERVER_STRATEGY: ${SMTP_SERVER_STRATEGY:-"SMTP_TLS"} + + #extensionConfiguration + OM_RESOURCE_PACKAGES: ${OM_RESOURCE_PACKAGES:-[]} + OM_EXTENSIONS: ${OM_EXTENSIONS:-[]} + # Heap OPTS Configurations OPENMETADATA_HEAP_OPTS: ${OPENMETADATA_HEAP_OPTS:--Xmx1G -Xms1G} - #OpenMetadata Web Configuration - WEB_CONF_URI_PATH: ${WEB_CONF_URI_PATH:-"/api"} - #HSTS - WEB_CONF_HSTS_ENABLED: ${WEB_CONF_HSTS_ENABLED:-false} - WEB_CONF_HSTS_MAX_AGE: ${WEB_CONF_HSTS_MAX_AGE:-"365 days"} - WEB_CONF_HSTS_INCLUDE_SUBDOMAINS: ${WEB_CONF_HSTS_INCLUDE_SUBDOMAINS:-"true"} - WEB_CONF_HSTS_PRELOAD: ${WEB_CONF_HSTS_PRELOAD:-"true"} - #Frame Options - WEB_CONF_FRAME_OPTION_ENABLED: ${WEB_CONF_FRAME_OPTION_ENABLED:-false} - WEB_CONF_FRAME_OPTION: ${WEB_CONF_FRAME_OPTION:-"SAMEORIGIN"} - WEB_CONF_FRAME_ORIGIN: ${WEB_CONF_FRAME_ORIGIN:-""} - #Content Type - WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED: ${WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED:-false} - #XSS-Protection - WEB_CONF_XSS_PROTECTION_ENABLED: ${WEB_CONF_XSS_PROTECTION_ENABLED:-false} - WEB_CONF_XSS_PROTECTION_ON: ${WEB_CONF_XSS_PROTECTION_ON:-true} - WEB_CONF_XSS_PROTECTION_BLOCK: ${WEB_CONF_XSS_PROTECTION_BLOCK:-true} - #CSP - WEB_CONF_XSS_CSP_ENABLED: ${WEB_CONF_XSS_CSP_ENABLED:-false} - WEB_CONF_XSS_CSP_POLICY: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'"} - WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY: ${WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY:-""} - #Cache - WEB_CONF_CACHE_CONTROL: ${WEB_CONF_CACHE_CONTROL:-""} - WEB_CONF_PRAGMA: ${WEB_CONF_PRAGMA:-""} - -services: - postgresql: - build: - context: ../../. - dockerfile: docker/postgresql/Dockerfile_postgres - container_name: openmetadata_postgresql - restart: always - command: "--work_mem=10MB" - depends_on: - - opensearch - environment: - POSTGRES_USER: postgres - POSTGRES_PASSWORD: password - expose: - - 5432 - ports: - - "5432:5432" - volumes: - - ./docker-volume/db-data-postgres:/var/lib/postgresql/data - networks: - - local_app_net - healthcheck: - test: psql -U postgres -tAc 'select 1' -d openmetadata_db - interval: 15s - timeout: 10s - retries: 10 - - opensearch: - image: opensearchproject/opensearch:latest - container_name: openmetadata_opensearch - environment: - - discovery.type=single-node - - ES_JAVA_OPTS=-Xms1024m -Xmx1024m - - plugins.security.disabled=true - - OPENSEARCH_INITIAL_ADMIN_PASSWORD=OpenMetadata_password123!!! - networks: - - local_app_net - expose: - - 9200 - - 9300 - ports: - - "9200:9200" - - "9300:9300" - healthcheck: - test: "curl -s http://localhost:9200/_cluster/health?pretty | grep status | grep -qE 'green|yellow' || exit 1" - interval: 15s - timeout: 10s - retries: 10 - volumes: - - es-data:/usr/share/opensearch/data - - execute-migrate-all: - build: - context: ../../. - dockerfile: docker/development/Dockerfile - container_name: execute_migrate_all - command: "./bootstrap/openmetadata-ops.sh -d migrate --force" - environment: - <<: *common-env - depends_on: - opensearch: - condition: service_healthy - postgresql: - condition: service_healthy - networks: - - local_app_net - - openmetadata-server: - build: - context: ../../. - dockerfile: docker/development/Dockerfile - container_name: openmetadata_server - environment: - <<: *common-env + MASK_PASSWORDS_API: ${MASK_PASSWORDS_API:-true} expose: - 8585 - 8586 @@ -336,11 +524,7 @@ services: - ingestion-volume-dags:/opt/airflow/dags - ingestion-volume-tmp:/tmp - /var/run/docker.sock:/var/run/docker.sock:z # Need 600 permissions to run DockerOperator -volumes: - ingestion-volume-dag-airflow: - ingestion-volume-dags: - ingestion-volume-tmp: - es-data: + networks: local_app_net: diff --git a/docker/development/docker-compose.yml b/docker/development/docker-compose.yml index d1deff852ca..b5509137a52 100644 --- a/docker/development/docker-compose.yml +++ b/docker/development/docker-compose.yml @@ -9,19 +9,295 @@ # See the License for the specific language governing permissions and # limitations under the License. -# version: "3.9" -x-environment: &common-env +version: "3.9" +volumes: + ingestion-volume-dag-airflow: + ingestion-volume-dags: + ingestion-volume-tmp: + es-data: +services: + mysql: + build: + context: ../../. + dockerfile: docker/mysql/Dockerfile_mysql + command: "--sort_buffer_size=10M" + container_name: openmetadata_mysql + restart: always + depends_on: + - elasticsearch + environment: + MYSQL_ROOT_PASSWORD: password + expose: + - 3306 + ports: + - "3306:3306" + networks: + - local_app_net + healthcheck: + test: mysql --user=root --password=$$MYSQL_ROOT_PASSWORD --silent --execute "use openmetadata_db" + interval: 15s + timeout: 10s + retries: 10 + volumes: + - ./docker-volume/db-data:/var/lib/mysql + + elasticsearch: + image: docker.elastic.co/elasticsearch/elasticsearch:8.11.4 + container_name: openmetadata_elasticsearch + environment: + - discovery.type=single-node + - ES_JAVA_OPTS=-Xms1024m -Xmx1024m + - xpack.security.enabled=false + networks: + - local_app_net + expose: + - 9200 + - 9300 + ports: + - "9200:9200" + - "9300:9300" + healthcheck: + test: "curl -s http://localhost:9200/_cluster/health?pretty | grep status | grep -qE 'green|yellow' || exit 1" + interval: 15s + timeout: 10s + retries: 10 + volumes: + - es-data:/usr/share/elasticsearch/data + + execute-migrate-all: + build: + context: ../../. + dockerfile: docker/development/Dockerfile + container_name: execute_migrate_all + command: "./bootstrap/openmetadata-ops.sh -d migrate --force" + environment: OPENMETADATA_CLUSTER_NAME: ${OPENMETADATA_CLUSTER_NAME:-openmetadata} SERVER_PORT: ${SERVER_PORT:-8585} SERVER_ADMIN_PORT: ${SERVER_ADMIN_PORT:-8586} LOG_LEVEL: ${LOG_LEVEL:-INFO} + + # Migration + MIGRATION_LIMIT_PARAM: ${MIGRATION_LIMIT_PARAM:-1200} + # OpenMetadata Server Authentication Configuration AUTHORIZER_CLASS_NAME: ${AUTHORIZER_CLASS_NAME:-org.openmetadata.service.security.DefaultAuthorizer} AUTHORIZER_REQUEST_FILTER: ${AUTHORIZER_REQUEST_FILTER:-org.openmetadata.service.security.JwtFilter} AUTHORIZER_ADMIN_PRINCIPALS: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]} AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]} AUTHORIZER_INGESTION_PRINCIPALS: ${AUTHORIZER_INGESTION_PRINCIPALS:-[ingestion-bot]} - AUTHORIZER_PRINCIPAL_DOMAIN: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"openmetadata.org"} + AUTHORIZER_PRINCIPAL_DOMAIN: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"open-metadata.org"} + AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN: ${AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN:-false} + AUTHORIZER_ENABLE_SECURE_SOCKET: ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false} + AUTHENTICATION_PROVIDER: ${AUTHENTICATION_PROVIDER:-basic} + AUTHENTICATION_RESPONSE_TYPE: ${AUTHENTICATION_RESPONSE_TYPE:-id_token} + CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME: ${CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME:-""} + AUTHENTICATION_PUBLIC_KEYS: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]} + AUTHENTICATION_AUTHORITY: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com} + AUTHENTICATION_CLIENT_ID: ${AUTHENTICATION_CLIENT_ID:-""} + AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} + AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} + AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING:-[]} + AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + # For SAML Authentication + # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} + # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} + # SAML_IDP_SSO_LOGIN_URL: ${SAML_IDP_SSO_LOGIN_URL:-""} + # SAML_IDP_CERTIFICATE: ${SAML_IDP_CERTIFICATE:-""} + # SAML_AUTHORITY_URL: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"} + # SAML_IDP_NAME_ID: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"} + # SAML_SP_ENTITY_ID: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/metadata"} + # SAML_SP_ACS: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"} + # SAML_SP_CERTIFICATE: ${SAML_SP_CERTIFICATE:-""} + # SAML_SP_CALLBACK: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"} + # SAML_STRICT_MODE: ${SAML_STRICT_MODE:-false} + # SAML_SP_TOKEN_VALIDITY: ${SAML_SP_TOKEN_VALIDITY:-"3600"} + # SAML_SEND_ENCRYPTED_NAME_ID: ${SAML_SEND_ENCRYPTED_NAME_ID:-false} + # SAML_SEND_SIGNED_AUTH_REQUEST: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false} + # SAML_SIGNED_SP_METADATA: ${SAML_SIGNED_SP_METADATA:-false} + # SAML_WANT_MESSAGE_SIGNED: ${SAML_WANT_MESSAGE_SIGNED:-false} + # SAML_WANT_ASSERTION_SIGNED: ${SAML_WANT_ASSERTION_SIGNED:-false} + # SAML_WANT_ASSERTION_ENCRYPTED: ${SAML_WANT_ASSERTION_ENCRYPTED:-false} + # SAML_WANT_NAME_ID_ENCRYPTED: ${SAML_WANT_NAME_ID_ENCRYPTED:-false} + # SAML_KEYSTORE_FILE_PATH: ${SAML_KEYSTORE_FILE_PATH:-""} + # SAML_KEYSTORE_ALIAS: ${SAML_KEYSTORE_ALIAS:-""} + # SAML_KEYSTORE_PASSWORD: ${SAML_KEYSTORE_PASSWORD:-""} + # For LDAP Authentication + # AUTHENTICATION_LDAP_HOST: ${AUTHENTICATION_LDAP_HOST:-} + # AUTHENTICATION_LDAP_PORT: ${AUTHENTICATION_LDAP_PORT:-} + # AUTHENTICATION_LOOKUP_ADMIN_DN: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-""} + # AUTHENTICATION_LOOKUP_ADMIN_PWD: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-""} + # AUTHENTICATION_USER_LOOKUP_BASEDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-""} + # AUTHENTICATION_USER_MAIL_ATTR: ${AUTHENTICATION_USER_MAIL_ATTR:-} + # AUTHENTICATION_LDAP_POOL_SIZE: ${AUTHENTICATION_LDAP_POOL_SIZE:-3} + # AUTHENTICATION_LDAP_SSL_ENABLED: ${AUTHENTICATION_LDAP_SSL_ENABLED:-} + # AUTHENTICATION_LDAP_TRUSTSTORE_TYPE: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} + # AUTHENTICATION_LDAP_TRUSTSTORE_PATH: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-} + # AUTHENTICATION_LDAP_KEYSTORE_PASSWORD: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-} + # AUTHENTICATION_LDAP_SSL_KEY_FORMAT: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-} + # AUTHENTICATION_LDAP_ALLOW_WILDCARDS: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-} + # AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]} + # AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} + # AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} + + # JWT Configuration + RSA_PUBLIC_KEY_FILE_PATH: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"} + RSA_PRIVATE_KEY_FILE_PATH: ${RSA_PRIVATE_KEY_FILE_PATH:-"./conf/private_key.der"} + JWT_ISSUER: ${JWT_ISSUER:-"open-metadata.org"} + JWT_KEY_ID: ${JWT_KEY_ID:-"Gb389a-9f76-gdjs-a92j-0242bk94356"} + # OpenMetadata Server Pipeline Service Client Configuration + PIPELINE_SERVICE_CLIENT_ENDPOINT: ${PIPELINE_SERVICE_CLIENT_ENDPOINT:-http://ingestion:8080} + PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL: ${PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL:-300} + SERVER_HOST_API_URL: ${SERVER_HOST_API_URL:-http://openmetadata-server:8585/api} + PIPELINE_SERVICE_CLIENT_VERIFY_SSL: ${PIPELINE_SERVICE_CLIENT_VERIFY_SSL:-"no-ssl"} + PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH: ${PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH:-""} + # Database configuration for MySQL + DB_DRIVER_CLASS: ${DB_DRIVER_CLASS:-com.mysql.cj.jdbc.Driver} + DB_SCHEME: ${DB_SCHEME:-mysql} + DB_PARAMS: ${DB_PARAMS:-allowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC} + DB_USE_SSL: ${DB_USE_SSL:-false} + DB_USER: ${DB_USER:-openmetadata_user} + DB_USER_PASSWORD: ${DB_USER_PASSWORD:-openmetadata_password} + DB_HOST: ${DB_HOST:-mysql} + DB_PORT: ${DB_PORT:-3306} + OM_DATABASE: ${OM_DATABASE:-openmetadata_db} + # ElasticSearch Configurations + ELASTICSEARCH_HOST: ${ELASTICSEARCH_HOST:- elasticsearch} + ELASTICSEARCH_PORT: ${ELASTICSEARCH_PORT:-9200} + ELASTICSEARCH_SCHEME: ${ELASTICSEARCH_SCHEME:-http} + ELASTICSEARCH_USER: ${ELASTICSEARCH_USER:-""} + ELASTICSEARCH_PASSWORD: ${ELASTICSEARCH_PASSWORD:-""} + SEARCH_TYPE: ${SEARCH_TYPE:- "elasticsearch"} + ELASTICSEARCH_CLUSTER_ALIAS: ${ELASTICSEARCH_CLUSTER_ALIAS:- "openmetadata"} + ELASTICSEARCH_TRUST_STORE_PATH: ${ELASTICSEARCH_TRUST_STORE_PATH:-""} + ELASTICSEARCH_TRUST_STORE_PASSWORD: ${ELASTICSEARCH_TRUST_STORE_PASSWORD:-""} + ELASTICSEARCH_CONNECTION_TIMEOUT_SECS: ${ELASTICSEARCH_CONNECTION_TIMEOUT_SECS:-5} + ELASTICSEARCH_SOCKET_TIMEOUT_SECS: ${ELASTICSEARCH_SOCKET_TIMEOUT_SECS:-60} + ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS: ${ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS:-600} + ELASTICSEARCH_BATCH_SIZE: ${ELASTICSEARCH_BATCH_SIZE:-100} + ELASTICSEARCH_PAYLOAD_BYTES_SIZE: ${ELASTICSEARCH_PAYLOAD_BYTES_SIZE:-10485760} #max payLoadSize in Bytes + ELASTICSEARCH_INDEX_MAPPING_LANG: ${ELASTICSEARCH_INDEX_MAPPING_LANG:-EN} + + #eventMonitoringConfiguration + EVENT_MONITOR: ${EVENT_MONITOR:-prometheus} + EVENT_MONITOR_BATCH_SIZE: ${EVENT_MONITOR_BATCH_SIZE:-10} + EVENT_MONITOR_PATH_PATTERN: ${EVENT_MONITOR_PATH_PATTERN:-["/api/v1/tables/*", "/api/v1/health-check"]} + EVENT_MONITOR_LATENCY: ${EVENT_MONITOR_LATENCY:-[]} + + #pipelineServiceClientConfiguration + PIPELINE_SERVICE_CLIENT_CLASS_NAME: ${PIPELINE_SERVICE_CLIENT_CLASS_NAME:-"org.openmetadata.service.clients.pipeline.airflow.AirflowRESTClient"} + PIPELINE_SERVICE_IP_INFO_ENABLED: ${PIPELINE_SERVICE_IP_INFO_ENABLED:-false} + PIPELINE_SERVICE_CLIENT_HOST_IP: ${PIPELINE_SERVICE_CLIENT_HOST_IP:-""} + PIPELINE_SERVICE_CLIENT_SECRETS_MANAGER_LOADER: ${PIPELINE_SERVICE_CLIENT_SECRETS_MANAGER_LOADER:-"noop"} + #airflow parameters + AIRFLOW_USERNAME: ${AIRFLOW_USERNAME:-admin} + AIRFLOW_PASSWORD: ${AIRFLOW_PASSWORD:-admin} + AIRFLOW_TIMEOUT: ${AIRFLOW_TIMEOUT:-10} + AIRFLOW_TRUST_STORE_PATH: ${AIRFLOW_TRUST_STORE_PATH:-""} + AIRFLOW_TRUST_STORE_PASSWORD: ${AIRFLOW_TRUST_STORE_PASSWORD:-""} + FERNET_KEY: ${FERNET_KEY:-jJ/9sz0g0OHxsfxOoSfdFdmk3ysNmPRnH3TUAbz3IHA=} + + #secretsManagerConfiguration + SECRET_MANAGER: ${SECRET_MANAGER:-db} + #parameters: + OM_SM_REGION: ${OM_SM_REGION:-""} + OM_SM_ACCESS_KEY_ID: ${OM_SM_ACCESS_KEY_ID:-""} + OM_SM_ACCESS_KEY: ${OM_SM_ACCESS_KEY:-""} + + #email configuration: + OM_EMAIL_ENTITY: ${OM_EMAIL_ENTITY:-"OpenMetadata"} + OM_SUPPORT_URL: ${OM_SUPPORT_URL:-"https://slack.open-metadata.org"} + AUTHORIZER_ENABLE_SMTP : ${AUTHORIZER_ENABLE_SMTP:-false} + OPENMETADATA_SERVER_URL: ${OPENMETADATA_SERVER_URL:-""} + OPENMETADATA_SMTP_SENDER_MAIL: ${OPENMETADATA_SMTP_SENDER_MAIL:-""} + SMTP_SERVER_ENDPOINT: ${SMTP_SERVER_ENDPOINT:-""} + SMTP_SERVER_PORT: ${SMTP_SERVER_PORT:-""} + SMTP_SERVER_USERNAME: ${SMTP_SERVER_USERNAME:-""} + SMTP_SERVER_PWD: ${SMTP_SERVER_PWD:-""} + SMTP_SERVER_STRATEGY: ${SMTP_SERVER_STRATEGY:-"SMTP_TLS"} + + #extensionConfiguration + OM_RESOURCE_PACKAGES: ${OM_RESOURCE_PACKAGES:-[]} + OM_EXTENSIONS: ${OM_EXTENSIONS:-[]} + + + # Heap OPTS Configurations + OPENMETADATA_HEAP_OPTS: ${OPENMETADATA_HEAP_OPTS:--Xmx1G -Xms1G} + # Mask passwords values in UI + MASK_PASSWORDS_API: ${MASK_PASSWORDS_API:-false} + + #OpenMetadata Web Configuration + WEB_CONF_URI_PATH: ${WEB_CONF_URI_PATH:-"/api"} + #HSTS + WEB_CONF_HSTS_ENABLED: ${WEB_CONF_HSTS_ENABLED:-false} + WEB_CONF_HSTS_MAX_AGE: ${WEB_CONF_HSTS_MAX_AGE:-"365 days"} + WEB_CONF_HSTS_INCLUDE_SUBDOMAINS: ${WEB_CONF_HSTS_INCLUDE_SUBDOMAINS:-"true"} + WEB_CONF_HSTS_PRELOAD: ${WEB_CONF_HSTS_PRELOAD:-"true"} + #Frame Options + WEB_CONF_FRAME_OPTION_ENABLED: ${WEB_CONF_FRAME_OPTION_ENABLED:-false} + WEB_CONF_FRAME_OPTION: ${WEB_CONF_FRAME_OPTION:-"SAMEORIGIN"} + WEB_CONF_FRAME_ORIGIN: ${WEB_CONF_FRAME_ORIGIN:-""} + #Content Type + WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED: ${WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED:-false} + #XSS-Protection + WEB_CONF_XSS_PROTECTION_ENABLED: ${WEB_CONF_XSS_PROTECTION_ENABLED:-false} + WEB_CONF_XSS_PROTECTION_ON: ${WEB_CONF_XSS_PROTECTION_ON:-true} + WEB_CONF_XSS_PROTECTION_BLOCK: ${WEB_CONF_XSS_PROTECTION_BLOCK:-true} + #CSP + WEB_CONF_XSS_CSP_ENABLED: ${WEB_CONF_XSS_CSP_ENABLED:-false} + WEB_CONF_XSS_CSP_POLICY: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'"} + WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY: ${WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY:-""} + #Referrer-Policy + WEB_CONF_REFERRER_POLICY_ENABLED: ${WEB_CONF_REFERRER_POLICY_ENABLED:-false} + WEB_CONF_REFERRER_POLICY_OPTION: ${WEB_CONF_REFERRER_POLICY_OPTION:-"SAME_ORIGIN"} + #Permission-Policy + WEB_CONF_PERMISSION_POLICY_ENABLED: ${WEB_CONF_PERMISSION_POLICY_ENABLED:-false} + WEB_CONF_PERMISSION_POLICY_OPTION: ${WEB_CONF_PERMISSION_POLICY_OPTION:-""} + #Cache + WEB_CONF_CACHE_CONTROL: ${WEB_CONF_CACHE_CONTROL:-""} + WEB_CONF_PRAGMA: ${WEB_CONF_PRAGMA:-""} + depends_on: + elasticsearch: + condition: service_healthy + mysql: + condition: service_healthy + networks: + - local_app_net + + openmetadata-server: + build: + context: ../../. + dockerfile: docker/development/Dockerfile + container_name: openmetadata_server + environment: + OPENMETADATA_CLUSTER_NAME: ${OPENMETADATA_CLUSTER_NAME:-openmetadata} + SERVER_PORT: ${SERVER_PORT:-8585} + SERVER_ADMIN_PORT: ${SERVER_ADMIN_PORT:-8586} + LOG_LEVEL: ${LOG_LEVEL:-INFO} + + # OpenMetadata Server Authentication Configuration + AUTHORIZER_CLASS_NAME: ${AUTHORIZER_CLASS_NAME:-org.openmetadata.service.security.DefaultAuthorizer} + AUTHORIZER_REQUEST_FILTER: ${AUTHORIZER_REQUEST_FILTER:-org.openmetadata.service.security.JwtFilter} + AUTHORIZER_ADMIN_PRINCIPALS: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]} + AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]} + AUTHORIZER_INGESTION_PRINCIPALS: ${AUTHORIZER_INGESTION_PRINCIPALS:-[ingestion-bot]} + AUTHORIZER_PRINCIPAL_DOMAIN: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"open-metadata.org"} AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN: ${AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN:-false} AUTHORIZER_ENABLE_SECURE_SOCKET: ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false} AUTHENTICATION_PROVIDER: ${AUTHENTICATION_PROVIDER:-basic} @@ -91,6 +367,7 @@ x-environment: &common-env # AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]} # AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} # AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} + # JWT Configuration RSA_PUBLIC_KEY_FILE_PATH: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"} RSA_PRIVATE_KEY_FILE_PATH: ${RSA_PRIVATE_KEY_FILE_PATH:-"./conf/private_key.der"} @@ -119,19 +396,22 @@ x-environment: &common-env ELASTICSEARCH_USER: ${ELASTICSEARCH_USER:-""} ELASTICSEARCH_PASSWORD: ${ELASTICSEARCH_PASSWORD:-""} SEARCH_TYPE: ${SEARCH_TYPE:- "elasticsearch"} + ELASTICSEARCH_CLUSTER_ALIAS: ${ELASTICSEARCH_CLUSTER_ALIAS:- "openmetadata"} ELASTICSEARCH_TRUST_STORE_PATH: ${ELASTICSEARCH_TRUST_STORE_PATH:-""} ELASTICSEARCH_TRUST_STORE_PASSWORD: ${ELASTICSEARCH_TRUST_STORE_PASSWORD:-""} ELASTICSEARCH_CONNECTION_TIMEOUT_SECS: ${ELASTICSEARCH_CONNECTION_TIMEOUT_SECS:-5} ELASTICSEARCH_SOCKET_TIMEOUT_SECS: ${ELASTICSEARCH_SOCKET_TIMEOUT_SECS:-60} ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS: ${ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS:-600} - ELASTICSEARCH_BATCH_SIZE: ${ELASTICSEARCH_BATCH_SIZE:-10} + ELASTICSEARCH_BATCH_SIZE: ${ELASTICSEARCH_BATCH_SIZE:-100} ELASTICSEARCH_PAYLOAD_BYTES_SIZE: ${ELASTICSEARCH_PAYLOAD_BYTES_SIZE:-10485760} #max payLoadSize in Bytes ELASTICSEARCH_INDEX_MAPPING_LANG: ${ELASTICSEARCH_INDEX_MAPPING_LANG:-EN} + #eventMonitoringConfiguration EVENT_MONITOR: ${EVENT_MONITOR:-prometheus} EVENT_MONITOR_BATCH_SIZE: ${EVENT_MONITOR_BATCH_SIZE:-10} EVENT_MONITOR_PATH_PATTERN: ${EVENT_MONITOR_PATH_PATTERN:-["/api/v1/tables/*", "/api/v1/health-check"]} EVENT_MONITOR_LATENCY: ${EVENT_MONITOR_LATENCY:-[]} + #pipelineServiceClientConfiguration PIPELINE_SERVICE_CLIENT_CLASS_NAME: ${PIPELINE_SERVICE_CLIENT_CLASS_NAME:-"org.openmetadata.service.clients.pipeline.airflow.AirflowRESTClient"} PIPELINE_SERVICE_IP_INFO_ENABLED: ${PIPELINE_SERVICE_IP_INFO_ENABLED:-false} @@ -144,6 +424,7 @@ x-environment: &common-env AIRFLOW_TRUST_STORE_PATH: ${AIRFLOW_TRUST_STORE_PATH:-""} AIRFLOW_TRUST_STORE_PASSWORD: ${AIRFLOW_TRUST_STORE_PASSWORD:-""} FERNET_KEY: ${FERNET_KEY:-jJ/9sz0g0OHxsfxOoSfdFdmk3ysNmPRnH3TUAbz3IHA=} + #secretsManagerConfiguration SECRET_MANAGER: ${SECRET_MANAGER:-db} # AWS: @@ -155,6 +436,9 @@ x-environment: &common-env OM_SM_CLIENT_ID: ${OM_SM_CLIENT_ID:-""} OM_SM_CLIENT_SECRET: ${OM_SM_CLIENT_SECRET:-""} OM_SM_TENANT_ID: ${OM_SM_TENANT_ID:-""} + # GCP: + OM_SM_PROJECT_ID: ${OM_SM_PROJECT_ID:-""} + #email configuration: OM_EMAIL_ENTITY: ${OM_EMAIL_ENTITY:-"OpenMetadata"} OM_SUPPORT_URL: ${OM_SUPPORT_URL:-"https://slack.open-metadata.org"} @@ -166,116 +450,14 @@ x-environment: &common-env SMTP_SERVER_USERNAME: ${SMTP_SERVER_USERNAME:-""} SMTP_SERVER_PWD: ${SMTP_SERVER_PWD:-""} SMTP_SERVER_STRATEGY: ${SMTP_SERVER_STRATEGY:-"SMTP_TLS"} + #extensionConfiguration OM_RESOURCE_PACKAGES: ${OM_RESOURCE_PACKAGES:-[]} OM_EXTENSIONS: ${OM_EXTENSIONS:-[]} + # Heap OPTS Configurations OPENMETADATA_HEAP_OPTS: ${OPENMETADATA_HEAP_OPTS:--Xmx1G -Xms1G} - #Cache - WEB_CONF_CACHE_CONTROL: ${WEB_CONF_CACHE_CONTROL:-""} - WEB_CONF_PRAGMA: ${WEB_CONF_PRAGMA:-""} - #CSP - WEB_CONF_XSS_CSP_ENABLED: ${WEB_CONF_XSS_CSP_ENABLED:-false} - WEB_CONF_XSS_CSP_POLICY: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'"} - WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY: ${WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY:-""} - #XSS-Protection - WEB_CONF_XSS_PROTECTION_ENABLED: ${WEB_CONF_XSS_PROTECTION_ENABLED:-false} - WEB_CONF_XSS_PROTECTION_ON: ${WEB_CONF_XSS_PROTECTION_ON:-true} - WEB_CONF_XSS_PROTECTION_BLOCK: ${WEB_CONF_XSS_PROTECTION_BLOCK:-true} - #Content Type - WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED: ${WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED:-false} - #Frame Options - WEB_CONF_FRAME_OPTION_ENABLED: ${WEB_CONF_FRAME_OPTION_ENABLED:-false} - WEB_CONF_FRAME_OPTION: ${WEB_CONF_FRAME_OPTION:-"SAMEORIGIN"} - WEB_CONF_FRAME_ORIGIN: ${WEB_CONF_FRAME_ORIGIN:-""} - #HSTS - WEB_CONF_HSTS_ENABLED: ${WEB_CONF_HSTS_ENABLED:-false} - WEB_CONF_HSTS_MAX_AGE: ${WEB_CONF_HSTS_MAX_AGE:-"365 days"} - WEB_CONF_HSTS_INCLUDE_SUBDOMAINS: ${WEB_CONF_HSTS_INCLUDE_SUBDOMAINS:-"true"} - WEB_CONF_HSTS_PRELOAD: ${WEB_CONF_HSTS_PRELOAD:-"true"} - #OpenMetadata Web Configuration - WEB_CONF_URI_PATH: ${WEB_CONF_URI_PATH:-"/api"} - # Migration - MIGRATION_LIMIT_PARAM: ${MIGRATION_LIMIT_PARAM:-1200} - #Referrer-Policy - WEB_CONF_REFERRER_POLICY_ENABLED: ${WEB_CONF_REFERRER_POLICY_ENABLED:-false} - WEB_CONF_REFERRER_POLICY_OPTION: ${WEB_CONF_REFERRER_POLICY_OPTION:-"SAME_ORIGIN"} - #Permission-Policy - WEB_CONF_PERMISSION_POLICY_ENABLED: ${WEB_CONF_PERMISSION_POLICY_ENABLED:-false} - WEB_CONF_PERMISSION_POLICY_OPTION: ${WEB_CONF_PERMISSION_POLICY_OPTION:-""} - -services: - mysql: - build: - context: ../../. - dockerfile: docker/mysql/Dockerfile_mysql - command: "--sort_buffer_size=10M" - container_name: openmetadata_mysql - restart: always - depends_on: - - elasticsearch - environment: - MYSQL_ROOT_PASSWORD: password - expose: - - 3306 - ports: - - "3306:3306" - networks: - - local_app_net - healthcheck: - test: mysql --user=root --password=$$MYSQL_ROOT_PASSWORD --silent --execute "use openmetadata_db" - interval: 15s - timeout: 10s - retries: 10 - volumes: - - ./docker-volume/db-data:/var/lib/mysql - - elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:8.11.4 - container_name: openmetadata_elasticsearch - environment: - - discovery.type=single-node - - ES_JAVA_OPTS=-Xms1024m -Xmx1024m - - xpack.security.enabled=false - networks: - - local_app_net - expose: - - 9200 - - 9300 - ports: - - "9200:9200" - - "9300:9300" - healthcheck: - test: "curl -s http://localhost:9200/_cluster/health?pretty | grep status | grep -qE 'green|yellow' || exit 1" - interval: 15s - timeout: 10s - retries: 10 - volumes: - - es-data:/usr/share/elasticsearch/data - - execute-migrate-all: - build: - context: ../../. - dockerfile: docker/development/Dockerfile - container_name: execute_migrate_all - command: "./bootstrap/openmetadata-ops.sh -d migrate --force" - environment: - <<: *common-env - depends_on: - elasticsearch: - condition: service_healthy - mysql: - condition: service_healthy - networks: - - local_app_net - - openmetadata-server: - build: - context: ../../. - dockerfile: docker/development/Dockerfile - container_name: openmetadata_server - environment: - <<: *common-env + MASK_PASSWORDS_API: ${MASK_PASSWORDS_API:-true} expose: - 8585 - 8586 @@ -362,11 +544,6 @@ services: - ingestion-volume-tmp:/tmp - /var/run/docker.sock:/var/run/docker.sock:z # Need 600 permissions to run DockerOperator -volumes: - ingestion-volume-dag-airflow: - ingestion-volume-dags: - ingestion-volume-tmp: - es-data: networks: local_app_net: diff --git a/docker/docker-compose-quickstart/docker-compose-postgres.yml b/docker/docker-compose-quickstart/docker-compose-postgres.yml index 103ddef790d..4b279df6cb2 100644 --- a/docker/docker-compose-quickstart/docker-compose-postgres.yml +++ b/docker/docker-compose-quickstart/docker-compose-postgres.yml @@ -9,8 +9,274 @@ # See the License for the specific language governing permissions and # limitations under the License. -# version: "3.9" -x-environment: &common-env +version: "3.9" +volumes: + ingestion-volume-dag-airflow: + ingestion-volume-dags: + ingestion-volume-tmp: + es-data: +services: + postgresql: + container_name: openmetadata_postgresql + image: docker.getcollate.io/openmetadata/postgresql:1.5.0-SNAPSHOT + restart: always + command: "--work_mem=10MB" + environment: + POSTGRES_USER: postgres + POSTGRES_PASSWORD: password + expose: + - 5432 + ports: + - "5432:5432" + volumes: + - ./docker-volume/db-data-postgres:/var/lib/postgresql/data + + networks: + - app_net + healthcheck: + test: psql -U postgres -tAc 'select 1' -d openmetadata_db + interval: 15s + timeout: 10s + retries: 10 + + elasticsearch: + container_name: openmetadata_elasticsearch + image: docker.elastic.co/elasticsearch/elasticsearch:8.11.4 + environment: + - discovery.type=single-node + - ES_JAVA_OPTS=-Xms1024m -Xmx1024m + - xpack.security.enabled=false + networks: + - app_net + ports: + - "9200:9200" + - "9300:9300" + healthcheck: + test: "curl -s http://localhost:9200/_cluster/health?pretty | grep status | grep -qE 'green|yellow' || exit 1" + interval: 15s + timeout: 10s + retries: 10 + volumes: + - es-data:/usr/share/elasticsearch/data + + execute-migrate-all: + container_name: execute_migrate_all + image: docker.getcollate.io/openmetadata/server:1.5.0-SNAPSHOT + command: "./bootstrap/openmetadata-ops.sh migrate" + environment: + OPENMETADATA_CLUSTER_NAME: ${OPENMETADATA_CLUSTER_NAME:-openmetadata} + SERVER_PORT: ${SERVER_PORT:-8585} + SERVER_ADMIN_PORT: ${SERVER_ADMIN_PORT:-8586} + LOG_LEVEL: ${LOG_LEVEL:-INFO} + + # Migration + MIGRATION_LIMIT_PARAM: ${MIGRATION_LIMIT_PARAM:-1200} + + # OpenMetadata Server Authentication Configuration + AUTHORIZER_CLASS_NAME: ${AUTHORIZER_CLASS_NAME:-org.openmetadata.service.security.DefaultAuthorizer} + AUTHORIZER_REQUEST_FILTER: ${AUTHORIZER_REQUEST_FILTER:-org.openmetadata.service.security.JwtFilter} + AUTHORIZER_ADMIN_PRINCIPALS: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]} + AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]} + AUTHORIZER_INGESTION_PRINCIPALS: ${AUTHORIZER_INGESTION_PRINCIPALS:-[ingestion-bot]} + AUTHORIZER_PRINCIPAL_DOMAIN: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"open-metadata.org"} + AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN: ${AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN:-false} + AUTHORIZER_ENABLE_SECURE_SOCKET: ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false} + AUTHENTICATION_PROVIDER: ${AUTHENTICATION_PROVIDER:-basic} + AUTHENTICATION_RESPONSE_TYPE: ${AUTHENTICATION_RESPONSE_TYPE:-id_token} + CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME: ${CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME:-""} + AUTHENTICATION_PUBLIC_KEYS: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]} + AUTHENTICATION_AUTHORITY: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com} + AUTHENTICATION_CLIENT_ID: ${AUTHENTICATION_CLIENT_ID:-""} + AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} + AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} + AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING:-[]} + AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + # For SAML Authentication + # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} + # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} + # SAML_IDP_SSO_LOGIN_URL: ${SAML_IDP_SSO_LOGIN_URL:-""} + # SAML_IDP_CERTIFICATE: ${SAML_IDP_CERTIFICATE:-""} + # SAML_AUTHORITY_URL: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"} + # SAML_IDP_NAME_ID: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"} + # SAML_SP_ENTITY_ID: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/metadata"} + # SAML_SP_ACS: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"} + # SAML_SP_CERTIFICATE: ${SAML_SP_CERTIFICATE:-""} + # SAML_SP_CALLBACK: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"} + # SAML_STRICT_MODE: ${SAML_STRICT_MODE:-false} + # SAML_SP_TOKEN_VALIDITY: ${SAML_SP_TOKEN_VALIDITY:-"3600"} + # SAML_SEND_ENCRYPTED_NAME_ID: ${SAML_SEND_ENCRYPTED_NAME_ID:-false} + # SAML_SEND_SIGNED_AUTH_REQUEST: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false} + # SAML_SIGNED_SP_METADATA: ${SAML_SIGNED_SP_METADATA:-false} + # SAML_WANT_MESSAGE_SIGNED: ${SAML_WANT_MESSAGE_SIGNED:-false} + # SAML_WANT_ASSERTION_SIGNED: ${SAML_WANT_ASSERTION_SIGNED:-false} + # SAML_WANT_ASSERTION_ENCRYPTED: ${SAML_WANT_ASSERTION_ENCRYPTED:-false} + # SAML_WANT_NAME_ID_ENCRYPTED: ${SAML_WANT_NAME_ID_ENCRYPTED:-false} + # SAML_KEYSTORE_FILE_PATH: ${SAML_KEYSTORE_FILE_PATH:-""} + # SAML_KEYSTORE_ALIAS: ${SAML_KEYSTORE_ALIAS:-""} + # SAML_KEYSTORE_PASSWORD: ${SAML_KEYSTORE_PASSWORD:-""} + # For LDAP Authentication + # AUTHENTICATION_LDAP_HOST: ${AUTHENTICATION_LDAP_HOST:-} + # AUTHENTICATION_LDAP_PORT: ${AUTHENTICATION_LDAP_PORT:-} + # AUTHENTICATION_LOOKUP_ADMIN_DN: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-""} + # AUTHENTICATION_LOOKUP_ADMIN_PWD: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-""} + # AUTHENTICATION_USER_LOOKUP_BASEDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-""} + # AUTHENTICATION_USER_MAIL_ATTR: ${AUTHENTICATION_USER_MAIL_ATTR:-} + # AUTHENTICATION_LDAP_POOL_SIZE: ${AUTHENTICATION_LDAP_POOL_SIZE:-3} + # AUTHENTICATION_LDAP_SSL_ENABLED: ${AUTHENTICATION_LDAP_SSL_ENABLED:-} + # AUTHENTICATION_LDAP_TRUSTSTORE_TYPE: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} + # AUTHENTICATION_LDAP_TRUSTSTORE_PATH: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-} + # AUTHENTICATION_LDAP_KEYSTORE_PASSWORD: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-} + # AUTHENTICATION_LDAP_SSL_KEY_FORMAT: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-} + # AUTHENTICATION_LDAP_ALLOW_WILDCARDS: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-} + # AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]} + # AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} + # AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} + + # JWT Configuration + RSA_PUBLIC_KEY_FILE_PATH: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"} + RSA_PRIVATE_KEY_FILE_PATH: ${RSA_PRIVATE_KEY_FILE_PATH:-"./conf/private_key.der"} + JWT_ISSUER: ${JWT_ISSUER:-"open-metadata.org"} + JWT_KEY_ID: ${JWT_KEY_ID:-"Gb389a-9f76-gdjs-a92j-0242bk94356"} + # OpenMetadata Server Pipeline Service Client Configuration + PIPELINE_SERVICE_CLIENT_ENDPOINT: ${PIPELINE_SERVICE_CLIENT_ENDPOINT:-http://ingestion:8080} + PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL: ${PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL:-300} + SERVER_HOST_API_URL: ${SERVER_HOST_API_URL:-http://openmetadata-server:8585/api} + PIPELINE_SERVICE_CLIENT_VERIFY_SSL: ${PIPELINE_SERVICE_CLIENT_VERIFY_SSL:-"no-ssl"} + PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH: ${PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH:-""} + #Database configuration for postgresql + DB_DRIVER_CLASS: ${DB_DRIVER_CLASS:-org.postgresql.Driver} + DB_SCHEME: ${DB_SCHEME:-postgresql} + DB_PARAMS: ${DB_PARAMS:-allowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC} + DB_USER: ${DB_USER:-openmetadata_user} + DB_USER_PASSWORD: ${DB_USER_PASSWORD:-openmetadata_password} + DB_HOST: ${DB_HOST:-postgresql} + DB_PORT: ${DB_PORT:-5432} + OM_DATABASE: ${OM_DATABASE:-openmetadata_db} + # ElasticSearch Configurations + ELASTICSEARCH_HOST: ${ELASTICSEARCH_HOST:- elasticsearch} + ELASTICSEARCH_PORT: ${ELASTICSEARCH_PORT:-9200} + ELASTICSEARCH_SCHEME: ${ELASTICSEARCH_SCHEME:-http} + ELASTICSEARCH_USER: ${ELASTICSEARCH_USER:-""} + ELASTICSEARCH_PASSWORD: ${ELASTICSEARCH_PASSWORD:-""} + SEARCH_TYPE: ${SEARCH_TYPE:- "elasticsearch"} + ELASTICSEARCH_TRUST_STORE_PATH: ${ELASTICSEARCH_TRUST_STORE_PATH:-""} + ELASTICSEARCH_TRUST_STORE_PASSWORD: ${ELASTICSEARCH_TRUST_STORE_PASSWORD:-""} + ELASTICSEARCH_CONNECTION_TIMEOUT_SECS: ${ELASTICSEARCH_CONNECTION_TIMEOUT_SECS:-5} + ELASTICSEARCH_SOCKET_TIMEOUT_SECS: ${ELASTICSEARCH_SOCKET_TIMEOUT_SECS:-60} + ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS: ${ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS:-600} + ELASTICSEARCH_BATCH_SIZE: ${ELASTICSEARCH_BATCH_SIZE:-100} + ELASTICSEARCH_PAYLOAD_BYTES_SIZE: ${ELASTICSEARCH_PAYLOAD_BYTES_SIZE:-10485760} #max payLoadSize in Bytes + ELASTICSEARCH_INDEX_MAPPING_LANG: ${ELASTICSEARCH_INDEX_MAPPING_LANG:-EN} + + #eventMonitoringConfiguration + EVENT_MONITOR: ${EVENT_MONITOR:-prometheus} + EVENT_MONITOR_BATCH_SIZE: ${EVENT_MONITOR_BATCH_SIZE:-10} + EVENT_MONITOR_PATH_PATTERN: ${EVENT_MONITOR_PATH_PATTERN:-["/api/v1/tables/*", "/api/v1/health-check"]} + EVENT_MONITOR_LATENCY: ${EVENT_MONITOR_LATENCY:-[]} + + #pipelineServiceClientConfiguration + PIPELINE_SERVICE_CLIENT_ENABLED: ${PIPELINE_SERVICE_CLIENT_ENABLED:-true} + PIPELINE_SERVICE_CLIENT_CLASS_NAME: ${PIPELINE_SERVICE_CLIENT_CLASS_NAME:-"org.openmetadata.service.clients.pipeline.airflow.AirflowRESTClient"} + PIPELINE_SERVICE_IP_INFO_ENABLED: ${PIPELINE_SERVICE_IP_INFO_ENABLED:-false} + PIPELINE_SERVICE_CLIENT_HOST_IP: ${PIPELINE_SERVICE_CLIENT_HOST_IP:-""} + PIPELINE_SERVICE_CLIENT_SECRETS_MANAGER_LOADER: ${PIPELINE_SERVICE_CLIENT_SECRETS_MANAGER_LOADER:-"noop"} + #airflow parameters + AIRFLOW_USERNAME: ${AIRFLOW_USERNAME:-admin} + AIRFLOW_PASSWORD: ${AIRFLOW_PASSWORD:-admin} + AIRFLOW_TIMEOUT: ${AIRFLOW_TIMEOUT:-10} + AIRFLOW_TRUST_STORE_PATH: ${AIRFLOW_TRUST_STORE_PATH:-""} + AIRFLOW_TRUST_STORE_PASSWORD: ${AIRFLOW_TRUST_STORE_PASSWORD:-""} + FERNET_KEY: ${FERNET_KEY:-jJ/9sz0g0OHxsfxOoSfdFdmk3ysNmPRnH3TUAbz3IHA=} + + #secretsManagerConfiguration + SECRET_MANAGER: ${SECRET_MANAGER:-db} + # AWS: + OM_SM_REGION: ${OM_SM_REGION:-""} + OM_SM_ACCESS_KEY_ID: ${OM_SM_ACCESS_KEY_ID:-""} + OM_SM_ACCESS_KEY: ${OM_SM_ACCESS_KEY:-""} + # Azure: + OM_SM_VAULT_NAME: ${OM_SM_VAULT_NAME:-""} + OM_SM_CLIENT_ID: ${OM_SM_CLIENT_ID:-""} + OM_SM_CLIENT_SECRET: ${OM_SM_CLIENT_SECRET:-""} + OM_SM_TENANT_ID: ${OM_SM_TENANT_ID:-""} + + #email configuration: + OM_EMAIL_ENTITY: ${OM_EMAIL_ENTITY:-"OpenMetadata"} + OM_SUPPORT_URL: ${OM_SUPPORT_URL:-"https://slack.open-metadata.org"} + AUTHORIZER_ENABLE_SMTP : ${AUTHORIZER_ENABLE_SMTP:-false} + OPENMETADATA_SERVER_URL: ${OPENMETADATA_SERVER_URL:-""} + OPENMETADATA_SMTP_SENDER_MAIL: ${OPENMETADATA_SMTP_SENDER_MAIL:-""} + SMTP_SERVER_ENDPOINT: ${SMTP_SERVER_ENDPOINT:-""} + SMTP_SERVER_PORT: ${SMTP_SERVER_PORT:-""} + SMTP_SERVER_USERNAME: ${SMTP_SERVER_USERNAME:-""} + SMTP_SERVER_PWD: ${SMTP_SERVER_PWD:-""} + SMTP_SERVER_STRATEGY: ${SMTP_SERVER_STRATEGY:-"SMTP_TLS"} + + # Heap OPTS Configurations + OPENMETADATA_HEAP_OPTS: ${OPENMETADATA_HEAP_OPTS:--Xmx1G -Xms1G} + # Mask passwords values in UI + MASK_PASSWORDS_API: ${MASK_PASSWORDS_API:-false} + + #OpenMetadata Web Configuration + WEB_CONF_URI_PATH: ${WEB_CONF_URI_PATH:-"/api"} + #HSTS + WEB_CONF_HSTS_ENABLED: ${WEB_CONF_HSTS_ENABLED:-false} + WEB_CONF_HSTS_MAX_AGE: ${WEB_CONF_HSTS_MAX_AGE:-"365 days"} + WEB_CONF_HSTS_INCLUDE_SUBDOMAINS: ${WEB_CONF_HSTS_INCLUDE_SUBDOMAINS:-"true"} + WEB_CONF_HSTS_PRELOAD: ${WEB_CONF_HSTS_PRELOAD:-"true"} + #Frame Options + WEB_CONF_FRAME_OPTION_ENABLED: ${WEB_CONF_FRAME_OPTION_ENABLED:-false} + WEB_CONF_FRAME_OPTION: ${WEB_CONF_FRAME_OPTION:-"SAMEORIGIN"} + WEB_CONF_FRAME_ORIGIN: ${WEB_CONF_FRAME_ORIGIN:-""} + #Content Type + WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED: ${WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED:-false} + #XSS-Protection + WEB_CONF_XSS_PROTECTION_ENABLED: ${WEB_CONF_XSS_PROTECTION_ENABLED:-false} + WEB_CONF_XSS_PROTECTION_ON: ${WEB_CONF_XSS_PROTECTION_ON:-true} + WEB_CONF_XSS_PROTECTION_BLOCK: ${WEB_CONF_XSS_PROTECTION_BLOCK:-true} + #CSP + WEB_CONF_XSS_CSP_ENABLED: ${WEB_CONF_XSS_CSP_ENABLED:-false} + WEB_CONF_XSS_CSP_POLICY: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'"} + WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY: ${WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY:-""} + #Referrer-Policy + WEB_CONF_REFERRER_POLICY_ENABLED: ${WEB_CONF_REFERRER_POLICY_ENABLED:-false} + WEB_CONF_REFERRER_POLICY_OPTION: ${WEB_CONF_REFERRER_POLICY_OPTION:-"SAME_ORIGIN"} + #Permission-Policy + WEB_CONF_PERMISSION_POLICY_ENABLED: ${WEB_CONF_PERMISSION_POLICY_ENABLED:-false} + WEB_CONF_PERMISSION_POLICY_OPTION: ${WEB_CONF_PERMISSION_POLICY_OPTION:-""} + #Cache + WEB_CONF_CACHE_CONTROL: ${WEB_CONF_CACHE_CONTROL:-""} + WEB_CONF_PRAGMA: ${WEB_CONF_PRAGMA:-""} + depends_on: + elasticsearch: + condition: service_healthy + postgresql: + condition: service_healthy + networks: + - app_net + + openmetadata-server: + container_name: openmetadata_server + restart: always + image: docker.getcollate.io/openmetadata/server:1.5.0-SNAPSHOT + environment: OPENMETADATA_CLUSTER_NAME: ${OPENMETADATA_CLUSTER_NAME:-openmetadata} SERVER_PORT: ${SERVER_PORT:-8585} SERVER_ADMIN_PORT: ${SERVER_ADMIN_PORT:-8586} @@ -114,12 +380,12 @@ x-environment: &common-env DB_PORT: ${DB_PORT:-5432} OM_DATABASE: ${OM_DATABASE:-openmetadata_db} # ElasticSearch Configurations - ELASTICSEARCH_HOST: ${ELASTICSEARCH_HOST:- opensearch} + ELASTICSEARCH_HOST: ${ELASTICSEARCH_HOST:- elasticsearch} ELASTICSEARCH_PORT: ${ELASTICSEARCH_PORT:-9200} ELASTICSEARCH_SCHEME: ${ELASTICSEARCH_SCHEME:-http} ELASTICSEARCH_USER: ${ELASTICSEARCH_USER:-""} ELASTICSEARCH_PASSWORD: ${ELASTICSEARCH_PASSWORD:-""} - SEARCH_TYPE: ${SEARCH_TYPE:- "opensearch"} + SEARCH_TYPE: ${SEARCH_TYPE:- "elasticsearch"} ELASTICSEARCH_TRUST_STORE_PATH: ${ELASTICSEARCH_TRUST_STORE_PATH:-""} ELASTICSEARCH_TRUST_STORE_PASSWORD: ${ELASTICSEARCH_TRUST_STORE_PASSWORD:-""} ELASTICSEARCH_CONNECTION_TIMEOUT_SECS: ${ELASTICSEARCH_CONNECTION_TIMEOUT_SECS:-5} @@ -197,72 +463,6 @@ x-environment: &common-env #Cache WEB_CONF_CACHE_CONTROL: ${WEB_CONF_CACHE_CONTROL:-""} WEB_CONF_PRAGMA: ${WEB_CONF_PRAGMA:-""} - - - -services: - postgresql: - container_name: openmetadata_postgresql - image: docker.getcollate.io/openmetadata/postgresql:1.5.0-SNAPSHOT - restart: always - command: "--work_mem=10MB" - environment: - POSTGRES_USER: postgres - POSTGRES_PASSWORD: password - expose: - - 5432 - ports: - - "5432:5432" - volumes: - - ./docker-volume/db-data-postgres:/var/lib/postgresql/data - networks: - - app_net - healthcheck: - test: psql -U postgres -tAc 'select 1' -d openmetadata_db - interval: 15s - timeout: 10s - retries: 10 - - elasticsearch: - container_name: openmetadata_elasticsearch - image: docker.elastic.co/elasticsearch/elasticsearch:8.11.4 - environment: - - discovery.type=single-node - - ES_JAVA_OPTS=-Xms1024m -Xmx1024m - - xpack.security.enabled=false - networks: - - app_net - ports: - - "9200:9200" - - "9300:9300" - healthcheck: - test: "curl -s http://localhost:9200/_cluster/health?pretty | grep status | grep -qE 'green|yellow' || exit 1" - interval: 15s - timeout: 10s - retries: 10 - volumes: - - es-data:/usr/share/elasticsearch/data - - execute-migrate-all: - container_name: execute_migrate_all - image: docker.getcollate.io/openmetadata/server:1.5.0-SNAPSHOT - command: "./bootstrap/openmetadata-ops.sh migrate" - environment: - <<: *common-env - depends_on: - elasticsearch: - condition: service_healthy - postgresql: - condition: service_healthy - networks: - - app_net - - openmetadata-server: - container_name: openmetadata_server - restart: always - image: docker.getcollate.io/openmetadata/server:1.5.0-SNAPSHOT - environment: - <<: *common-env expose: - 8585 - 8586 @@ -325,12 +525,6 @@ services: - ingestion-volume-dags:/opt/airflow/dags - ingestion-volume-tmp:/tmp -volumes: - ingestion-volume-dag-airflow: - ingestion-volume-dags: - ingestion-volume-tmp: - es-data: - networks: app_net: ipam: diff --git a/docker/docker-compose-quickstart/docker-compose.yml b/docker/docker-compose-quickstart/docker-compose.yml index c2aa25d61ee..a66b57ddfb6 100644 --- a/docker/docker-compose-quickstart/docker-compose.yml +++ b/docker/docker-compose-quickstart/docker-compose.yml @@ -9,18 +9,74 @@ # See the License for the specific language governing permissions and # limitations under the License. -x-environment: &common-env +version: "3.9" +volumes: + ingestion-volume-dag-airflow: + ingestion-volume-dags: + ingestion-volume-tmp: + es-data: +services: + mysql: + container_name: openmetadata_mysql + image: docker.getcollate.io/openmetadata/db:1.5.0-SNAPSHOT + command: "--sort_buffer_size=10M" + restart: always + environment: + MYSQL_ROOT_PASSWORD: password + expose: + - 3306 + ports: + - "3306:3306" + volumes: + - ./docker-volume/db-data:/var/lib/mysql + networks: + - app_net + healthcheck: + test: mysql --user=root --password=$$MYSQL_ROOT_PASSWORD --silent --execute "use openmetadata_db" + interval: 15s + timeout: 10s + retries: 10 + + elasticsearch: + container_name: openmetadata_elasticsearch + image: docker.elastic.co/elasticsearch/elasticsearch:8.11.4 + environment: + - discovery.type=single-node + - ES_JAVA_OPTS=-Xms1024m -Xmx1024m + - xpack.security.enabled=false + networks: + - app_net + ports: + - "9200:9200" + - "9300:9300" + healthcheck: + test: "curl -s http://localhost:9200/_cluster/health?pretty | grep status | grep -qE 'green|yellow' || exit 1" + interval: 15s + timeout: 10s + retries: 10 + volumes: + - es-data:/usr/share/elasticsearch/data + + execute-migrate-all: + container_name: execute_migrate_all + image: docker.getcollate.io/openmetadata/server:1.5.0-SNAPSHOT + command: "./bootstrap/openmetadata-ops.sh migrate" + environment: OPENMETADATA_CLUSTER_NAME: ${OPENMETADATA_CLUSTER_NAME:-openmetadata} SERVER_PORT: ${SERVER_PORT:-8585} SERVER_ADMIN_PORT: ${SERVER_ADMIN_PORT:-8586} LOG_LEVEL: ${LOG_LEVEL:-INFO} + + # Migration + MIGRATION_LIMIT_PARAM: ${MIGRATION_LIMIT_PARAM:-1200} + # OpenMetadata Server Authentication Configuration AUTHORIZER_CLASS_NAME: ${AUTHORIZER_CLASS_NAME:-org.openmetadata.service.security.DefaultAuthorizer} AUTHORIZER_REQUEST_FILTER: ${AUTHORIZER_REQUEST_FILTER:-org.openmetadata.service.security.JwtFilter} AUTHORIZER_ADMIN_PRINCIPALS: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]} AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]} AUTHORIZER_INGESTION_PRINCIPALS: ${AUTHORIZER_INGESTION_PRINCIPALS:-[ingestion-bot]} - AUTHORIZER_PRINCIPAL_DOMAIN: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"openmetadata.org"} + AUTHORIZER_PRINCIPAL_DOMAIN: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"open-metadata.org"} AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN: ${AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN:-false} AUTHORIZER_ENABLE_SECURE_SOCKET: ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false} AUTHENTICATION_PROVIDER: ${AUTHENTICATION_PROVIDER:-basic} @@ -32,7 +88,7 @@ x-environment: &common-env AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING:-[]} - AUTHENTICATION_ENABLE_SELF_SIGNUP : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} #For OIDC Authentication, when client is confidential OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} @@ -90,6 +146,7 @@ x-environment: &common-env # AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]} # AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} # AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} + # JWT Configuration RSA_PUBLIC_KEY_FILE_PATH: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"} RSA_PRIVATE_KEY_FILE_PATH: ${RSA_PRIVATE_KEY_FILE_PATH:-"./conf/private_key.der"} @@ -105,7 +162,6 @@ x-environment: &common-env DB_DRIVER_CLASS: ${DB_DRIVER_CLASS:-com.mysql.cj.jdbc.Driver} DB_SCHEME: ${DB_SCHEME:-mysql} DB_PARAMS: ${DB_PARAMS:-allowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC} - DB_USE_SSL: ${DB_USE_SSL:-false} DB_USER: ${DB_USER:-openmetadata_user} DB_USER_PASSWORD: ${DB_USER_PASSWORD:-openmetadata_password} DB_HOST: ${DB_HOST:-mysql} @@ -123,15 +179,18 @@ x-environment: &common-env ELASTICSEARCH_CONNECTION_TIMEOUT_SECS: ${ELASTICSEARCH_CONNECTION_TIMEOUT_SECS:-5} ELASTICSEARCH_SOCKET_TIMEOUT_SECS: ${ELASTICSEARCH_SOCKET_TIMEOUT_SECS:-60} ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS: ${ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS:-600} - ELASTICSEARCH_BATCH_SIZE: ${ELASTICSEARCH_BATCH_SIZE:-10} + ELASTICSEARCH_BATCH_SIZE: ${ELASTICSEARCH_BATCH_SIZE:-100} ELASTICSEARCH_PAYLOAD_BYTES_SIZE: ${ELASTICSEARCH_PAYLOAD_BYTES_SIZE:-10485760} #max payLoadSize in Bytes ELASTICSEARCH_INDEX_MAPPING_LANG: ${ELASTICSEARCH_INDEX_MAPPING_LANG:-EN} + #eventMonitoringConfiguration EVENT_MONITOR: ${EVENT_MONITOR:-prometheus} EVENT_MONITOR_BATCH_SIZE: ${EVENT_MONITOR_BATCH_SIZE:-10} EVENT_MONITOR_PATH_PATTERN: ${EVENT_MONITOR_PATH_PATTERN:-["/api/v1/tables/*", "/api/v1/health-check"]} EVENT_MONITOR_LATENCY: ${EVENT_MONITOR_LATENCY:-[]} + #pipelineServiceClientConfiguration + PIPELINE_SERVICE_CLIENT_ENABLED: ${PIPELINE_SERVICE_CLIENT_ENABLED:-true} PIPELINE_SERVICE_CLIENT_CLASS_NAME: ${PIPELINE_SERVICE_CLIENT_CLASS_NAME:-"org.openmetadata.service.clients.pipeline.airflow.AirflowRESTClient"} PIPELINE_SERVICE_IP_INFO_ENABLED: ${PIPELINE_SERVICE_IP_INFO_ENABLED:-false} PIPELINE_SERVICE_CLIENT_HOST_IP: ${PIPELINE_SERVICE_CLIENT_HOST_IP:-""} @@ -143,6 +202,7 @@ x-environment: &common-env AIRFLOW_TRUST_STORE_PATH: ${AIRFLOW_TRUST_STORE_PATH:-""} AIRFLOW_TRUST_STORE_PASSWORD: ${AIRFLOW_TRUST_STORE_PASSWORD:-""} FERNET_KEY: ${FERNET_KEY:-jJ/9sz0g0OHxsfxOoSfdFdmk3ysNmPRnH3TUAbz3IHA=} + #secretsManagerConfiguration SECRET_MANAGER: ${SECRET_MANAGER:-db} # AWS: @@ -154,6 +214,7 @@ x-environment: &common-env OM_SM_CLIENT_ID: ${OM_SM_CLIENT_ID:-""} OM_SM_CLIENT_SECRET: ${OM_SM_CLIENT_SECRET:-""} OM_SM_TENANT_ID: ${OM_SM_TENANT_ID:-""} + #email configuration: OM_EMAIL_ENTITY: ${OM_EMAIL_ENTITY:-"OpenMetadata"} OM_SUPPORT_URL: ${OM_SUPPORT_URL:-"https://slack.open-metadata.org"} @@ -165,92 +226,42 @@ x-environment: &common-env SMTP_SERVER_USERNAME: ${SMTP_SERVER_USERNAME:-""} SMTP_SERVER_PWD: ${SMTP_SERVER_PWD:-""} SMTP_SERVER_STRATEGY: ${SMTP_SERVER_STRATEGY:-"SMTP_TLS"} - #extensionConfiguration - OM_RESOURCE_PACKAGES: ${OM_RESOURCE_PACKAGES:-[]} - OM_EXTENSIONS: ${OM_EXTENSIONS:-[]} + # Heap OPTS Configurations OPENMETADATA_HEAP_OPTS: ${OPENMETADATA_HEAP_OPTS:--Xmx1G -Xms1G} - #Cache - WEB_CONF_CACHE_CONTROL: ${WEB_CONF_CACHE_CONTROL:-""} - WEB_CONF_PRAGMA: ${WEB_CONF_PRAGMA:-""} - #CSP - WEB_CONF_XSS_CSP_ENABLED: ${WEB_CONF_XSS_CSP_ENABLED:-false} - WEB_CONF_XSS_CSP_POLICY: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'"} - WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY: ${WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY:-""} - #XSS-Protection - WEB_CONF_XSS_PROTECTION_ENABLED: ${WEB_CONF_XSS_PROTECTION_ENABLED:-false} - WEB_CONF_XSS_PROTECTION_ON: ${WEB_CONF_XSS_PROTECTION_ON:-true} - WEB_CONF_XSS_PROTECTION_BLOCK: ${WEB_CONF_XSS_PROTECTION_BLOCK:-true} - #Content Type - WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED: ${WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED:-false} - #Frame Options - WEB_CONF_FRAME_OPTION_ENABLED: ${WEB_CONF_FRAME_OPTION_ENABLED:-false} - WEB_CONF_FRAME_OPTION: ${WEB_CONF_FRAME_OPTION:-"SAMEORIGIN"} - WEB_CONF_FRAME_ORIGIN: ${WEB_CONF_FRAME_ORIGIN:-""} + # Mask passwords values in UI + MASK_PASSWORDS_API: ${MASK_PASSWORDS_API:-false} + + #OpenMetadata Web Configuration + WEB_CONF_URI_PATH: ${WEB_CONF_URI_PATH:-"/api"} #HSTS WEB_CONF_HSTS_ENABLED: ${WEB_CONF_HSTS_ENABLED:-false} WEB_CONF_HSTS_MAX_AGE: ${WEB_CONF_HSTS_MAX_AGE:-"365 days"} WEB_CONF_HSTS_INCLUDE_SUBDOMAINS: ${WEB_CONF_HSTS_INCLUDE_SUBDOMAINS:-"true"} WEB_CONF_HSTS_PRELOAD: ${WEB_CONF_HSTS_PRELOAD:-"true"} - #OpenMetadata Web Configuration - WEB_CONF_URI_PATH: ${WEB_CONF_URI_PATH:-"/api"} + #Frame Options + WEB_CONF_FRAME_OPTION_ENABLED: ${WEB_CONF_FRAME_OPTION_ENABLED:-false} + WEB_CONF_FRAME_OPTION: ${WEB_CONF_FRAME_OPTION:-"SAMEORIGIN"} + WEB_CONF_FRAME_ORIGIN: ${WEB_CONF_FRAME_ORIGIN:-""} + #Content Type + WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED: ${WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED:-false} + #XSS-Protection + WEB_CONF_XSS_PROTECTION_ENABLED: ${WEB_CONF_XSS_PROTECTION_ENABLED:-false} + WEB_CONF_XSS_PROTECTION_ON: ${WEB_CONF_XSS_PROTECTION_ON:-true} + WEB_CONF_XSS_PROTECTION_BLOCK: ${WEB_CONF_XSS_PROTECTION_BLOCK:-true} + #CSP + WEB_CONF_XSS_CSP_ENABLED: ${WEB_CONF_XSS_CSP_ENABLED:-false} + WEB_CONF_XSS_CSP_POLICY: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'"} + WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY: ${WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY:-""} #Referrer-Policy WEB_CONF_REFERRER_POLICY_ENABLED: ${WEB_CONF_REFERRER_POLICY_ENABLED:-false} WEB_CONF_REFERRER_POLICY_OPTION: ${WEB_CONF_REFERRER_POLICY_OPTION:-"SAME_ORIGIN"} #Permission-Policy WEB_CONF_PERMISSION_POLICY_ENABLED: ${WEB_CONF_PERMISSION_POLICY_ENABLED:-false} - WEB_CONF_PERMISSION_POLICY_OPTION: ${WEB_CONF_PERMISSION_POLICY_OPTION:-""} - -services: - mysql: - container_name: openmetadata_mysql - image: docker.getcollate.io/openmetadata/db:1.5.0-SNAPSHOT - command: "--sort_buffer_size=10M" - restart: always - environment: - MYSQL_ROOT_PASSWORD: password - expose: - - 3306 - ports: - - "3306:3306" - volumes: - - ./docker-volume/db-data:/var/lib/mysql - networks: - - app_net - healthcheck: - test: mysql --user=root --password=$$MYSQL_ROOT_PASSWORD --silent --execute "use openmetadata_db" - interval: 15s - timeout: 10s - retries: 10 - - - elasticsearch: - container_name: openmetadata_elasticsearch - image: docker.elastic.co/elasticsearch/elasticsearch:8.11.4 - environment: - - discovery.type=single-node - - ES_JAVA_OPTS=-Xms1024m -Xmx1024m - - xpack.security.enabled=false - networks: - - app_net - ports: - - "9200:9200" - - "9300:9300" - healthcheck: - test: "curl -s http://localhost:9200/_cluster/health?pretty | grep status | grep -qE 'green|yellow' || exit 1" - interval: 15s - timeout: 10s - retries: 10 - volumes: - - es-data:/usr/share/elasticsearch/data - - - execute-migrate-all: - container_name: execute_migrate_all - image: docker.getcollate.io/openmetadata/server:1.5.0-SNAPSHOT - command: "./bootstrap/openmetadata-ops.sh migrate" - environment: - <<: *common-env + WEB_CONF_PERMISSION_POLICY_OPTION: ${WEB_CONF_PERMISSION_POLICY_OPTION:-""} + #Cache + WEB_CONF_CACHE_CONTROL: ${WEB_CONF_CACHE_CONTROL:-""} + WEB_CONF_PRAGMA: ${WEB_CONF_PRAGMA:-""} depends_on: elasticsearch: condition: service_healthy @@ -264,7 +275,193 @@ services: restart: always image: docker.getcollate.io/openmetadata/server:1.5.0-SNAPSHOT environment: - <<: *common-env + OPENMETADATA_CLUSTER_NAME: ${OPENMETADATA_CLUSTER_NAME:-openmetadata} + SERVER_PORT: ${SERVER_PORT:-8585} + SERVER_ADMIN_PORT: ${SERVER_ADMIN_PORT:-8586} + LOG_LEVEL: ${LOG_LEVEL:-INFO} + + # OpenMetadata Server Authentication Configuration + AUTHORIZER_CLASS_NAME: ${AUTHORIZER_CLASS_NAME:-org.openmetadata.service.security.DefaultAuthorizer} + AUTHORIZER_REQUEST_FILTER: ${AUTHORIZER_REQUEST_FILTER:-org.openmetadata.service.security.JwtFilter} + AUTHORIZER_ADMIN_PRINCIPALS: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]} + AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]} + AUTHORIZER_INGESTION_PRINCIPALS: ${AUTHORIZER_INGESTION_PRINCIPALS:-[ingestion-bot]} + AUTHORIZER_PRINCIPAL_DOMAIN: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"open-metadata.org"} + AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN: ${AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN:-false} + AUTHORIZER_ENABLE_SECURE_SOCKET: ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false} + AUTHENTICATION_PROVIDER: ${AUTHENTICATION_PROVIDER:-basic} + AUTHENTICATION_RESPONSE_TYPE: ${AUTHENTICATION_RESPONSE_TYPE:-id_token} + CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME: ${CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME:-""} + AUTHENTICATION_PUBLIC_KEYS: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]} + AUTHENTICATION_AUTHORITY: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com} + AUTHENTICATION_CLIENT_ID: ${AUTHENTICATION_CLIENT_ID:-""} + AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} + AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} + AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING:-[]} + AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + # For SAML Authentication + # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} + # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} + # SAML_IDP_SSO_LOGIN_URL: ${SAML_IDP_SSO_LOGIN_URL:-""} + # SAML_IDP_CERTIFICATE: ${SAML_IDP_CERTIFICATE:-""} + # SAML_AUTHORITY_URL: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"} + # SAML_IDP_NAME_ID: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"} + # SAML_SP_ENTITY_ID: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/metadata"} + # SAML_SP_ACS: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"} + # SAML_SP_CERTIFICATE: ${SAML_SP_CERTIFICATE:-""} + # SAML_SP_CALLBACK: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"} + # SAML_STRICT_MODE: ${SAML_STRICT_MODE:-false} + # SAML_SP_TOKEN_VALIDITY: ${SAML_SP_TOKEN_VALIDITY:-"3600"} + # SAML_SEND_ENCRYPTED_NAME_ID: ${SAML_SEND_ENCRYPTED_NAME_ID:-false} + # SAML_SEND_SIGNED_AUTH_REQUEST: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false} + # SAML_SIGNED_SP_METADATA: ${SAML_SIGNED_SP_METADATA:-false} + # SAML_WANT_MESSAGE_SIGNED: ${SAML_WANT_MESSAGE_SIGNED:-false} + # SAML_WANT_ASSERTION_SIGNED: ${SAML_WANT_ASSERTION_SIGNED:-false} + # SAML_WANT_ASSERTION_ENCRYPTED: ${SAML_WANT_ASSERTION_ENCRYPTED:-false} + # SAML_WANT_NAME_ID_ENCRYPTED: ${SAML_WANT_NAME_ID_ENCRYPTED:-false} + # SAML_KEYSTORE_FILE_PATH: ${SAML_KEYSTORE_FILE_PATH:-""} + # SAML_KEYSTORE_ALIAS: ${SAML_KEYSTORE_ALIAS:-""} + # SAML_KEYSTORE_PASSWORD: ${SAML_KEYSTORE_PASSWORD:-""} + # For LDAP Authentication + # AUTHENTICATION_LDAP_HOST: ${AUTHENTICATION_LDAP_HOST:-} + # AUTHENTICATION_LDAP_PORT: ${AUTHENTICATION_LDAP_PORT:-} + # AUTHENTICATION_LOOKUP_ADMIN_DN: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-""} + # AUTHENTICATION_LOOKUP_ADMIN_PWD: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-""} + # AUTHENTICATION_USER_LOOKUP_BASEDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-""} + # AUTHENTICATION_USER_MAIL_ATTR: ${AUTHENTICATION_USER_MAIL_ATTR:-} + # AUTHENTICATION_LDAP_POOL_SIZE: ${AUTHENTICATION_LDAP_POOL_SIZE:-3} + # AUTHENTICATION_LDAP_SSL_ENABLED: ${AUTHENTICATION_LDAP_SSL_ENABLED:-} + # AUTHENTICATION_LDAP_TRUSTSTORE_TYPE: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll} + # AUTHENTICATION_LDAP_TRUSTSTORE_PATH: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-} + # AUTHENTICATION_LDAP_KEYSTORE_PASSWORD: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-} + # AUTHENTICATION_LDAP_SSL_KEY_FORMAT: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-} + # AUTHENTICATION_LDAP_ALLOW_WILDCARDS: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-} + # AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]} + # AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-} + # AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true} + + # JWT Configuration + RSA_PUBLIC_KEY_FILE_PATH: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"} + RSA_PRIVATE_KEY_FILE_PATH: ${RSA_PRIVATE_KEY_FILE_PATH:-"./conf/private_key.der"} + JWT_ISSUER: ${JWT_ISSUER:-"open-metadata.org"} + JWT_KEY_ID: ${JWT_KEY_ID:-"Gb389a-9f76-gdjs-a92j-0242bk94356"} + # OpenMetadata Server Pipeline Service Client Configuration + PIPELINE_SERVICE_CLIENT_ENDPOINT: ${PIPELINE_SERVICE_CLIENT_ENDPOINT:-http://ingestion:8080} + PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL: ${PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL:-300} + SERVER_HOST_API_URL: ${SERVER_HOST_API_URL:-http://openmetadata-server:8585/api} + PIPELINE_SERVICE_CLIENT_VERIFY_SSL: ${PIPELINE_SERVICE_CLIENT_VERIFY_SSL:-"no-ssl"} + PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH: ${PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH:-""} + # Database configuration for MySQL + DB_DRIVER_CLASS: ${DB_DRIVER_CLASS:-com.mysql.cj.jdbc.Driver} + DB_SCHEME: ${DB_SCHEME:-mysql} + DB_PARAMS: ${DB_PARAMS:-allowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC} + DB_USER: ${DB_USER:-openmetadata_user} + DB_USER_PASSWORD: ${DB_USER_PASSWORD:-openmetadata_password} + DB_HOST: ${DB_HOST:-mysql} + DB_PORT: ${DB_PORT:-3306} + OM_DATABASE: ${OM_DATABASE:-openmetadata_db} + # ElasticSearch Configurations + ELASTICSEARCH_HOST: ${ELASTICSEARCH_HOST:- elasticsearch} + ELASTICSEARCH_PORT: ${ELASTICSEARCH_PORT:-9200} + ELASTICSEARCH_SCHEME: ${ELASTICSEARCH_SCHEME:-http} + ELASTICSEARCH_USER: ${ELASTICSEARCH_USER:-""} + ELASTICSEARCH_PASSWORD: ${ELASTICSEARCH_PASSWORD:-""} + SEARCH_TYPE: ${SEARCH_TYPE:- "elasticsearch"} + ELASTICSEARCH_TRUST_STORE_PATH: ${ELASTICSEARCH_TRUST_STORE_PATH:-""} + ELASTICSEARCH_TRUST_STORE_PASSWORD: ${ELASTICSEARCH_TRUST_STORE_PASSWORD:-""} + ELASTICSEARCH_CONNECTION_TIMEOUT_SECS: ${ELASTICSEARCH_CONNECTION_TIMEOUT_SECS:-5} + ELASTICSEARCH_SOCKET_TIMEOUT_SECS: ${ELASTICSEARCH_SOCKET_TIMEOUT_SECS:-60} + ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS: ${ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS:-600} + ELASTICSEARCH_BATCH_SIZE: ${ELASTICSEARCH_BATCH_SIZE:-100} + ELASTICSEARCH_PAYLOAD_BYTES_SIZE: ${ELASTICSEARCH_PAYLOAD_BYTES_SIZE:-10485760} #max payLoadSize in Bytes + ELASTICSEARCH_INDEX_MAPPING_LANG: ${ELASTICSEARCH_INDEX_MAPPING_LANG:-EN} + + #eventMonitoringConfiguration + EVENT_MONITOR: ${EVENT_MONITOR:-prometheus} + EVENT_MONITOR_BATCH_SIZE: ${EVENT_MONITOR_BATCH_SIZE:-10} + EVENT_MONITOR_PATH_PATTERN: ${EVENT_MONITOR_PATH_PATTERN:-["/api/v1/tables/*", "/api/v1/health-check"]} + EVENT_MONITOR_LATENCY: ${EVENT_MONITOR_LATENCY:-[]} + + #pipelineServiceClientConfiguration + PIPELINE_SERVICE_CLIENT_ENABLED: ${PIPELINE_SERVICE_CLIENT_ENABLED:-true} + PIPELINE_SERVICE_CLIENT_CLASS_NAME: ${PIPELINE_SERVICE_CLIENT_CLASS_NAME:-"org.openmetadata.service.clients.pipeline.airflow.AirflowRESTClient"} + PIPELINE_SERVICE_IP_INFO_ENABLED: ${PIPELINE_SERVICE_IP_INFO_ENABLED:-false} + PIPELINE_SERVICE_CLIENT_HOST_IP: ${PIPELINE_SERVICE_CLIENT_HOST_IP:-""} + PIPELINE_SERVICE_CLIENT_SECRETS_MANAGER_LOADER: ${PIPELINE_SERVICE_CLIENT_SECRETS_MANAGER_LOADER:-"noop"} + #airflow parameters + AIRFLOW_USERNAME: ${AIRFLOW_USERNAME:-admin} + AIRFLOW_PASSWORD: ${AIRFLOW_PASSWORD:-admin} + AIRFLOW_TIMEOUT: ${AIRFLOW_TIMEOUT:-10} + AIRFLOW_TRUST_STORE_PATH: ${AIRFLOW_TRUST_STORE_PATH:-""} + AIRFLOW_TRUST_STORE_PASSWORD: ${AIRFLOW_TRUST_STORE_PASSWORD:-""} + FERNET_KEY: ${FERNET_KEY:-jJ/9sz0g0OHxsfxOoSfdFdmk3ysNmPRnH3TUAbz3IHA=} + + #secretsManagerConfiguration + SECRET_MANAGER: ${SECRET_MANAGER:-db} + #parameters: + OM_SM_REGION: ${OM_SM_REGION:-""} + OM_SM_ACCESS_KEY_ID: ${OM_SM_ACCESS_KEY_ID:-""} + OM_SM_ACCESS_KEY: ${OM_SM_ACCESS_KEY:-""} + + #email configuration: + OM_EMAIL_ENTITY: ${OM_EMAIL_ENTITY:-"OpenMetadata"} + OM_SUPPORT_URL: ${OM_SUPPORT_URL:-"https://slack.open-metadata.org"} + AUTHORIZER_ENABLE_SMTP : ${AUTHORIZER_ENABLE_SMTP:-false} + OPENMETADATA_SERVER_URL: ${OPENMETADATA_SERVER_URL:-""} + OPENMETADATA_SMTP_SENDER_MAIL: ${OPENMETADATA_SMTP_SENDER_MAIL:-""} + SMTP_SERVER_ENDPOINT: ${SMTP_SERVER_ENDPOINT:-""} + SMTP_SERVER_PORT: ${SMTP_SERVER_PORT:-""} + SMTP_SERVER_USERNAME: ${SMTP_SERVER_USERNAME:-""} + SMTP_SERVER_PWD: ${SMTP_SERVER_PWD:-""} + SMTP_SERVER_STRATEGY: ${SMTP_SERVER_STRATEGY:-"SMTP_TLS"} + + # Heap OPTS Configurations + OPENMETADATA_HEAP_OPTS: ${OPENMETADATA_HEAP_OPTS:--Xmx1G -Xms1G} + # Mask passwords values in UI + MASK_PASSWORDS_API: ${MASK_PASSWORDS_API:-false} + + #OpenMetadata Web Configuration + WEB_CONF_URI_PATH: ${WEB_CONF_URI_PATH:-"/api"} + #HSTS + WEB_CONF_HSTS_ENABLED: ${WEB_CONF_HSTS_ENABLED:-false} + WEB_CONF_HSTS_MAX_AGE: ${WEB_CONF_HSTS_MAX_AGE:-"365 days"} + WEB_CONF_HSTS_INCLUDE_SUBDOMAINS: ${WEB_CONF_HSTS_INCLUDE_SUBDOMAINS:-"true"} + WEB_CONF_HSTS_PRELOAD: ${WEB_CONF_HSTS_PRELOAD:-"true"} + #Frame Options + WEB_CONF_FRAME_OPTION_ENABLED: ${WEB_CONF_FRAME_OPTION_ENABLED:-false} + WEB_CONF_FRAME_OPTION: ${WEB_CONF_FRAME_OPTION:-"SAMEORIGIN"} + WEB_CONF_FRAME_ORIGIN: ${WEB_CONF_FRAME_ORIGIN:-""} + #Content Type + WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED: ${WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED:-false} + #XSS-Protection + WEB_CONF_XSS_PROTECTION_ENABLED: ${WEB_CONF_XSS_PROTECTION_ENABLED:-false} + WEB_CONF_XSS_PROTECTION_ON: ${WEB_CONF_XSS_PROTECTION_ON:-true} + WEB_CONF_XSS_PROTECTION_BLOCK: ${WEB_CONF_XSS_PROTECTION_BLOCK:-true} + #CSP + WEB_CONF_XSS_CSP_ENABLED: ${WEB_CONF_XSS_CSP_ENABLED:-false} + WEB_CONF_XSS_CSP_POLICY: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'"} + WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY: ${WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY:-""} + #Cache + WEB_CONF_CACHE_CONTROL: ${WEB_CONF_CACHE_CONTROL:-""} + WEB_CONF_PRAGMA: ${WEB_CONF_PRAGMA:-""} + expose: - 8585 - 8586 @@ -327,12 +524,6 @@ services: - ingestion-volume-dags:/opt/airflow/dags - ingestion-volume-tmp:/tmp -volumes: - ingestion-volume-dag-airflow: - ingestion-volume-dags: - ingestion-volume-tmp: - es-data: - networks: app_net: