From b41a3e0d775b91c1f8af10c9347c941aa950422d Mon Sep 17 00:00:00 2001
From: Akash Jain <15995028+akash-jain-10@users.noreply.github.com>
Date: Thu, 24 Nov 2022 12:33:59 +0530
Subject: [PATCH] fix: Docs for Authrizer Ingestion Principals deprecation note
 (#8997)

* update docs for deprecated Ingestion Bot Principal

* Add section example for custom airflow k8s config
---
 .../content/deployment/airflow/index.md       | 18 ++++++++++-
 .../security/amazon-cognito-sso/docker.md     |  1 -
 .../deployment/security/auth0/docker.md       | 16 ++++++++++
 .../deployment/security/auth0/kubernetes.md   | 19 ++++++++++++
 .../deployment/security/azure/docker.md       | 15 ++++++++++
 .../deployment/security/custom-oidc/docker.md | 17 +++++++++++
 .../deployment/security/enable-jwt-tokens.md  | 30 +++----------------
 .../deployment/security/keycloak/docker.md    | 19 +++++++++++-
 .../deployment/security/okta/docker.md        | 16 ++++++++++
 .../deployment/security/okta/kubernetes.md    | 20 +++++++++++++
 .../deployment/security/one-login/docker.md   | 16 ++++++++++
 .../deployment/upgrade/versions/012-to-013.md |  3 ++
 12 files changed, 161 insertions(+), 29 deletions(-)

diff --git a/openmetadata-docs/content/deployment/airflow/index.md b/openmetadata-docs/content/deployment/airflow/index.md
index 63cb9a0bd9d..2f6caf90ef9 100644
--- a/openmetadata-docs/content/deployment/airflow/index.md
+++ b/openmetadata-docs/content/deployment/airflow/index.md
@@ -117,6 +117,7 @@ The OpenMetadata server takes all its configurations from a YAML file. You can f
 `openmetadata.yaml`, update the `airflowConfiguration` section accordingly.
 
 ```yaml
+# For Bare Metal Installations
 [...]
 
 airflowConfiguration:
@@ -124,7 +125,6 @@ airflowConfiguration:
    username: ${AIRFLOW_USERNAME:-admin}
    password: ${AIRFLOW_PASSWORD:-admin}
    metadataApiEndpoint: ${SERVER_HOST_API_URL:-http://localhost:8585/api}
-   authProvider: ${AIRFLOW_AUTH_PROVIDER:-"no-auth"}
 
 [...]
 ```
@@ -136,6 +136,22 @@ AIRFLOW_HOST: ${AIRFLOW_HOST:-http://ingestion:8080}
 SERVER_HOST_API_URL: ${SERVER_HOST_API_URL:-http://openmetadata-server:8585/api}
 ```
 
+If using Kubernetes, make sure that you are passing the correct values to Helm Chart:
+
+```yaml
+# Custom OpenMetadata Values.yaml
+global:
+   airflow:
+    enabled: true
+    # endpoint url for airflow
+    host: http://openmetadata-dependencies-web.default.svc.cluster.local:8080
+    auth:
+      username: admin
+      password:
+        secretRef: airflow-secrets
+        secretKey: openmetadata-airflow-password
+```
+
 #### Validating the installation
 
 What we need to verify here is that the OpenMetadata server can reach the Airflow APIs endpoints 
diff --git a/openmetadata-docs/content/deployment/security/amazon-cognito-sso/docker.md b/openmetadata-docs/content/deployment/security/amazon-cognito-sso/docker.md
index 82146611421..a2f765f1159 100644
--- a/openmetadata-docs/content/deployment/security/amazon-cognito-sso/docker.md
+++ b/openmetadata-docs/content/deployment/security/amazon-cognito-sso/docker.md
@@ -17,7 +17,6 @@ generated when setting up the account in the previous steps.
 AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
 AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
 AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
-AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot]
 AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
 
 AUTHENTICATION_PROVIDER=aws-cognito
diff --git a/openmetadata-docs/content/deployment/security/auth0/docker.md b/openmetadata-docs/content/deployment/security/auth0/docker.md
index a1eae5879cb..061e7fec24d 100644
--- a/openmetadata-docs/content/deployment/security/auth0/docker.md
+++ b/openmetadata-docs/content/deployment/security/auth0/docker.md
@@ -52,6 +52,22 @@ AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```
 
+### 1.3 After 0.13.0
+
+```shell
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=auth0
+AUTHENTICATION_PUBLIC_KEYS=[{Domain}/.well-known/jwks.json] # Update with your Domain
+AUTHENTICATION_AUTHORITY={Domain} # Update with your Domain
+AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.
 
diff --git a/openmetadata-docs/content/deployment/security/auth0/kubernetes.md b/openmetadata-docs/content/deployment/security/auth0/kubernetes.md
index 515b85cad24..cd473635b3a 100644
--- a/openmetadata-docs/content/deployment/security/auth0/kubernetes.md
+++ b/openmetadata-docs/content/deployment/security/auth0/kubernetes.md
@@ -60,5 +60,24 @@ global:
     callbackUrl: "http://localhost:8585/callback"
 ```
 
+### After 0.13.0
+
+```yaml
+global:
+  authorizer:
+    className: "org.openmetadata.service.security.DefaultAuthorizer"
+    containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
+    initialAdmins: 
+    - "suresh"
+    principalDomain: "open-metadata.org"
+  authentication:
+    provider: "auth0"
+    publicKeys: 
+    - "{Auth0 Domain Name}/.well-known/jwks.json"
+    authority: "https://parth-panchal.us.auth0.com/"
+    clientId: "{Client ID}"
+    callbackUrl: "http://localhost:8585/callback"
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.
diff --git a/openmetadata-docs/content/deployment/security/azure/docker.md b/openmetadata-docs/content/deployment/security/azure/docker.md
index 67945f2e950..b5c9b1336d8 100644
--- a/openmetadata-docs/content/deployment/security/azure/docker.md
+++ b/openmetadata-docs/content/deployment/security/azure/docker.md
@@ -63,6 +63,21 @@ AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Appli
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```
 
+### 1.3 After 0.13.0
+
+```shell
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=azure
+AUTHENTICATION_PUBLIC_KEYS=[https://login.microsoftonline.com/common/discovery/keys]
+AUTHENTICATION_AUTHORITY=https://login.microsoftonline.com/{Tenant ID} # Update with your Tenant ID
+AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Application
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+
 <Note>
 
 Follow [this](/deployment/security/azure#step-10-update-ingestion-bot-with-azure-sso-service-application) guide to configure the `ingestion-bot` credentials for ingesting data from Airflow.
diff --git a/openmetadata-docs/content/deployment/security/custom-oidc/docker.md b/openmetadata-docs/content/deployment/security/custom-oidc/docker.md
index 8fe0748a28a..850539a7f2f 100644
--- a/openmetadata-docs/content/deployment/security/custom-oidc/docker.md
+++ b/openmetadata-docs/content/deployment/security/custom-oidc/docker.md
@@ -56,6 +56,23 @@ AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```
 
+### 1.3 After 0.13.0
+
+```shell
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=custom-oidc
+CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME=KeyCloak
+AUTHENTICATION_PUBLIC_KEYS=[{http://localhost:8080/realms/myrealm/protocol/openid-connect/certs}]
+AUTHENTICATION_AUTHORITY={http://localhost:8080/realms/myrealm}
+AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.
 
diff --git a/openmetadata-docs/content/deployment/security/enable-jwt-tokens.md b/openmetadata-docs/content/deployment/security/enable-jwt-tokens.md
index 42c25354a1d..14c321545e5 100644
--- a/openmetadata-docs/content/deployment/security/enable-jwt-tokens.md
+++ b/openmetadata-docs/content/deployment/security/enable-jwt-tokens.md
@@ -87,41 +87,19 @@ If you are using OpenMetadata shipped Airflow container with our APIs to deploy
 OpenMetadata UIs. Configure the below section to enable JWT Token
 
 ```yaml
+# For Bare Metal Installations
 airflowConfiguration:
   apiEndpoint: ${AIRFLOW_HOST:-http://localhost:8080}
   username: ${AIRFLOW_USERNAME:-admin}
   password: ${AIRFLOW_PASSWORD:-admin}
   metadataApiEndpoint: ${SERVER_HOST_API_URL:-http://localhost:8585/api}
-  authProvider: ${AIRFLOW_AUTH_PROVIDER:-"no-auth"} # Possible values are "no-auth", "azure", "google", "okta", "auth0", "custom-oidc", "openmetadata"
+  authProvider: ${AIRFLOW_AUTH_PROVIDER:-"openmetadata"} # Possible values are "no-auth", "azure", "google", "okta", "auth0", "custom-oidc", "openmetadata"
   authConfig:
-    azure:
-      clientSecret: ${OM_AUTH_AIRFLOW_AZURE_CLIENT_SECRET:-""}
-      authority: ${OM_AUTH_AIRFLOW_AZURE_AUTHORITY_URL:-""}
-      scopes: ${OM_AUTH_AIRFLOW_AZURE_SCOPES:-[]}
-      clientId:  ${OM_AUTH_AIRFLOW_AZURE_CLIENT_ID:-""}
-    google:
-      secretKey: ${OM_AUTH_AIRFLOW_GOOGLE_SECRET_KEY_PATH:- ""}
-      audience: ${OM_AUTH_AIRFLOW_GOOGLE_AUDIENCE:-"https://www.googleapis.com/oauth2/v4/token"}
-    okta:
-      clientId: ${OM_AUTH_AIRFLOW_OKTA_CLIENT_ID:-""}
-      orgURL: ${OM_AUTH_AIRFLOW_OKTA_ORGANIZATION_URL:-""}
-      privateKey: ${OM_AUTH_AIRFLOW_OKTA_PRIVATE_KEY:-""}
-      email: ${OM_AUTH_AIRFLOW_OKTA_SA_EMAIL:-""}
-      scopes: ${OM_AUTH_AIRFLOW_OKTA_SCOPES:-[]}
-    auth0:
-      clientId: ${OM_AUTH_AIRFLOW_AUTH0_CLIENT_ID:-""}
-      secretKey: ${OM_AUTH_AIRFLOW_AUTH0_CLIENT_SECRET:-""}
-      domain: ${OM_AUTH_AIRFLOW_AUTH0_DOMAIN_URL:-""}
-    customOidc:
-      clientId: ${OM_AUTH_AIRFLOW_CUSTOM_OIDC_CLIENT_ID:-""}
-      secretKey: ${OM_AUTH_AIRFLOW_CUSTOM_OIDC_SECRET_KEY_PATH:-""}
-      tokenEndpoint: ${OM_AUTH_AIRFLOW_CUSTOM_OIDC_TOKEN_ENDPOINT_URL:-""}
     openmetadata:
-      jwtToken: ${OM_AUTH_JWT_TOKEN:-""}
+      jwtToken: ${OM_AUTH_JWT_TOKEN:-"<JWT_TOKEN_FROM_UI_SETTINGS_BOTS>"}
 ```
 
-In the above configuration, configure `authProvider` to be "openmetadata" and configure `OM_AUTH_JWT_TOKEN` with the JWT
-token generated in the bots page.
+In the above configuration, you can see we configure `authProvider` to be "openmetadata" and `OM_AUTH_JWT_TOKEN` with the JWT token that was generated in the bots page.
 
 ### Using Ingestion Framework
 
diff --git a/openmetadata-docs/content/deployment/security/keycloak/docker.md b/openmetadata-docs/content/deployment/security/keycloak/docker.md
index 8ccee67d238..0bcd04b0ec2 100644
--- a/openmetadata-docs/content/deployment/security/keycloak/docker.md
+++ b/openmetadata-docs/content/deployment/security/keycloak/docker.md
@@ -38,7 +38,7 @@ OM_AUTH_AIRFLOW_CUSTOM_OIDC_SECRET_KEY={Secret Key} # Update with your Secret Ke
 OM_AUTH_AIRFLOW_CUSTOM_OIDC_TOKEN_ENDPOINT_URL="http://localhost:8081/realms/data-sec/protocol/openid-connect/token"
 ```
 
-### 1.1 After 0.12.1
+### 1.2 After 0.12.1
 
 ```shell
 # OpenMetadata Server Authentication Configuration
@@ -56,6 +56,23 @@ AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```
 
+### 1.3 After 0.13.0
+
+```shell
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin-user]  # Your `name` from name@domain.com
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=custom-oidc
+CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME=KeyCloak
+AUTHENTICATION_PUBLIC_KEYS=[{http://localhost:8081/realms/data-sec/protocol/openid-connect/certs}]
+AUTHENTICATION_AUTHORITY={http://localhost:8081/realms/data-sec}
+AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.
 
diff --git a/openmetadata-docs/content/deployment/security/okta/docker.md b/openmetadata-docs/content/deployment/security/okta/docker.md
index 3aaf85e0ddb..7a9e524c40d 100644
--- a/openmetadata-docs/content/deployment/security/okta/docker.md
+++ b/openmetadata-docs/content/deployment/security/okta/docker.md
@@ -58,6 +58,22 @@ AUTHENTICATION_CLIENT_ID={CLIENT_ID - SPA APP} # Update with your Client ID
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```
 
+### 1.3 After 0.13.0
+
+```shell
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=okta
+AUTHENTICATION_PUBLIC_KEYS={ISSUER_URL}/v1/keys # Update with your Issuer URL
+AUTHENTICATION_AUTHORITY={ISSUER_URL} # Update with your Issuer URL
+AUTHENTICATION_CLIENT_ID={CLIENT_ID - SPA APP} # Update with your Client ID
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.
 
diff --git a/openmetadata-docs/content/deployment/security/okta/kubernetes.md b/openmetadata-docs/content/deployment/security/okta/kubernetes.md
index a32e5d3c7e5..133dfe55f8d 100644
--- a/openmetadata-docs/content/deployment/security/okta/kubernetes.md
+++ b/openmetadata-docs/content/deployment/security/okta/kubernetes.md
@@ -66,5 +66,25 @@ global:
     callbackUrl: "http://localhost:8585/callback"
 ```
 
+### After 0.13.0
+
+```yaml
+global:
+  authorizer:
+    className: "org.openmetadata.service.security.DefaultAuthorizer"
+    containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
+    initialAdmins:
+      - "user1"
+      - "user2"
+    principalDomain: "open-metadata.org"
+  authentication:
+    provider: "okta"
+    publicKeys:
+      - "{ISSUER_URL}/v1/keys"
+    authority: "{ISSUER_URL}"
+    clientId: "{CLIENT_ID - SPA APP}"
+    callbackUrl: "http://localhost:8585/callback"
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.
\ No newline at end of file
diff --git a/openmetadata-docs/content/deployment/security/one-login/docker.md b/openmetadata-docs/content/deployment/security/one-login/docker.md
index 967af7ddf2e..8361a756c27 100644
--- a/openmetadata-docs/content/deployment/security/one-login/docker.md
+++ b/openmetadata-docs/content/deployment/security/one-login/docker.md
@@ -54,6 +54,22 @@ AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```
 
+### 1.3 After 0.13.0
+
+```shell
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=custom-oidc
+AUTHENTICATION_PUBLIC_KEYS={public key url} # Update with your Public Key URL
+AUTHENTICATION_AUTHORITY={issuer url} # Update with your Issuer URL
+AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.
 
diff --git a/openmetadata-docs/content/deployment/upgrade/versions/012-to-013.md b/openmetadata-docs/content/deployment/upgrade/versions/012-to-013.md
index 7d97daa1c94..8766f731bde 100644
--- a/openmetadata-docs/content/deployment/upgrade/versions/012-to-013.md
+++ b/openmetadata-docs/content/deployment/upgrade/versions/012-to-013.md
@@ -10,6 +10,9 @@ Upgrading from 0.12 to 0.13 can be done directly on your instances. This page wi
 
 ## Highlights
 
+### Deprecating botPrincipals from OpenMetadata Configuration
+
+Starting with `0.13.0`, we have deprecated the initial configurations for Authorizer Bot Pincipals. This means that all the configs will be taken care from UI once it's up and running under settings >> bots section. The default once available and enabled will be `ingestion-bot` which will have JWT Token configured. You can edit the same for configuring service principals instead of using the default JWT Auth mechanism. For more information on configuring Bots, you can visit [Enable Security](/deployment/security).
 
 ### Service Connection Updates