fix: Docs for Authrizer Ingestion Principals deprecation note (#8997)

* update docs for deprecated Ingestion Bot Principal * Add section example for custom airflow k8s config
2025-08-23 16:38:17 +00:00 · 2022-11-24 12:33:59 +05:30 · 2022-11-24 12:33:59 +05:30 · b41a3e0d77
commit b41a3e0d77
parent 95f0f4d9e1
12 changed files with 161 additions and 29 deletions
--- a/openmetadata-docs/content/deployment/airflow/index.md
+++ b/openmetadata-docs/content/deployment/airflow/index.md
@ -117,6 +117,7 @@ The OpenMetadata server takes all its configurations from a YAML file. You can f
 `openmetadata.yaml`, update the `airflowConfiguration` section accordingly.

 ```yaml
+# For Bare Metal Installations
 [...]

 airflowConfiguration:
@ -124,7 +125,6 @@ airflowConfiguration:
   username: ${AIRFLOW_USERNAME:-admin}
   password: ${AIRFLOW_PASSWORD:-admin}
   metadataApiEndpoint: ${SERVER_HOST_API_URL:-http://localhost:8585/api}
-   authProvider: ${AIRFLOW_AUTH_PROVIDER:-"no-auth"}

 [...]
 ```
@ -136,6 +136,22 @@ AIRFLOW_HOST: ${AIRFLOW_HOST:-http://ingestion:8080}
 SERVER_HOST_API_URL: ${SERVER_HOST_API_URL:-http://openmetadata-server:8585/api}
 ```

+If using Kubernetes, make sure that you are passing the correct values to Helm Chart:
+
+```yaml
+# Custom OpenMetadata Values.yaml
+global:
+   airflow:
+    enabled: true
+    # endpoint url for airflow
+    host: http://openmetadata-dependencies-web.default.svc.cluster.local:8080
+    auth:
+      username: admin
+      password:
+        secretRef: airflow-secrets
+        secretKey: openmetadata-airflow-password
+```
+
 #### Validating the installation

 What we need to verify here is that the OpenMetadata server can reach the Airflow APIs endpoints 
--- a/openmetadata-docs/content/deployment/security/amazon-cognito-sso/docker.md
+++ b/openmetadata-docs/content/deployment/security/amazon-cognito-sso/docker.md
@ -17,7 +17,6 @@ generated when setting up the account in the previous steps.
 AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
 AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
 AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
-AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot]
 AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain

 AUTHENTICATION_PROVIDER=aws-cognito
--- a/openmetadata-docs/content/deployment/security/auth0/docker.md
+++ b/openmetadata-docs/content/deployment/security/auth0/docker.md
@ -52,6 +52,22 @@ AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```

+### 1.3 After 0.13.0
+
+```shell
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=auth0
+AUTHENTICATION_PUBLIC_KEYS=[{Domain}/.well-known/jwks.json] # Update with your Domain
+AUTHENTICATION_AUTHORITY={Domain} # Update with your Domain
+AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.

--- a/openmetadata-docs/content/deployment/security/auth0/kubernetes.md
+++ b/openmetadata-docs/content/deployment/security/auth0/kubernetes.md
@ -60,5 +60,24 @@ global:
    callbackUrl: "http://localhost:8585/callback"
 ```

+### After 0.13.0
+
+```yaml
+global:
+  authorizer:
+    className: "org.openmetadata.service.security.DefaultAuthorizer"
+    containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
+    initialAdmins: 
+    - "suresh"
+    principalDomain: "open-metadata.org"
+  authentication:
+    provider: "auth0"
+    publicKeys: 
+    - "{Auth0 Domain Name}/.well-known/jwks.json"
+    authority: "https://parth-panchal.us.auth0.com/"
+    clientId: "{Client ID}"
+    callbackUrl: "http://localhost:8585/callback"
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.
--- a/openmetadata-docs/content/deployment/security/azure/docker.md
+++ b/openmetadata-docs/content/deployment/security/azure/docker.md
@ -63,6 +63,21 @@ AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Appli
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```

+### 1.3 After 0.13.0
+
+```shell
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=azure
+AUTHENTICATION_PUBLIC_KEYS=[https://login.microsoftonline.com/common/discovery/keys]
+AUTHENTICATION_AUTHORITY=https://login.microsoftonline.com/{Tenant ID} # Update with your Tenant ID
+AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Application
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+
 <Note>

 Follow [this](/deployment/security/azure#step-10-update-ingestion-bot-with-azure-sso-service-application) guide to configure the `ingestion-bot` credentials for ingesting data from Airflow.
--- a/openmetadata-docs/content/deployment/security/custom-oidc/docker.md
+++ b/openmetadata-docs/content/deployment/security/custom-oidc/docker.md
@ -56,6 +56,23 @@ AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```

+### 1.3 After 0.13.0
+
+```shell
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=custom-oidc
+CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME=KeyCloak
+AUTHENTICATION_PUBLIC_KEYS=[{http://localhost:8080/realms/myrealm/protocol/openid-connect/certs}]
+AUTHENTICATION_AUTHORITY={http://localhost:8080/realms/myrealm}
+AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.

--- a/openmetadata-docs/content/deployment/security/enable-jwt-tokens.md
+++ b/openmetadata-docs/content/deployment/security/enable-jwt-tokens.md
@ -87,41 +87,19 @@ If you are using OpenMetadata shipped Airflow container with our APIs to deploy
 OpenMetadata UIs. Configure the below section to enable JWT Token

 ```yaml
+# For Bare Metal Installations
 airflowConfiguration:
  apiEndpoint: ${AIRFLOW_HOST:-http://localhost:8080}
  username: ${AIRFLOW_USERNAME:-admin}
  password: ${AIRFLOW_PASSWORD:-admin}
  metadataApiEndpoint: ${SERVER_HOST_API_URL:-http://localhost:8585/api}
-  authProvider: ${AIRFLOW_AUTH_PROVIDER:-"no-auth"} # Possible values are "no-auth", "azure", "google", "okta", "auth0", "custom-oidc", "openmetadata"
+  authProvider: ${AIRFLOW_AUTH_PROVIDER:-"openmetadata"} # Possible values are "no-auth", "azure", "google", "okta", "auth0", "custom-oidc", "openmetadata"
  authConfig:
-    azure:
-      clientSecret: ${OM_AUTH_AIRFLOW_AZURE_CLIENT_SECRET:-""}
-      authority: ${OM_AUTH_AIRFLOW_AZURE_AUTHORITY_URL:-""}
-      scopes: ${OM_AUTH_AIRFLOW_AZURE_SCOPES:-[]}
-      clientId:  ${OM_AUTH_AIRFLOW_AZURE_CLIENT_ID:-""}
-    google:
-      secretKey: ${OM_AUTH_AIRFLOW_GOOGLE_SECRET_KEY_PATH:- ""}
-      audience: ${OM_AUTH_AIRFLOW_GOOGLE_AUDIENCE:-"https://www.googleapis.com/oauth2/v4/token"}
-    okta:
-      clientId: ${OM_AUTH_AIRFLOW_OKTA_CLIENT_ID:-""}
-      orgURL: ${OM_AUTH_AIRFLOW_OKTA_ORGANIZATION_URL:-""}
-      privateKey: ${OM_AUTH_AIRFLOW_OKTA_PRIVATE_KEY:-""}
-      email: ${OM_AUTH_AIRFLOW_OKTA_SA_EMAIL:-""}
-      scopes: ${OM_AUTH_AIRFLOW_OKTA_SCOPES:-[]}
-    auth0:
-      clientId: ${OM_AUTH_AIRFLOW_AUTH0_CLIENT_ID:-""}
-      secretKey: ${OM_AUTH_AIRFLOW_AUTH0_CLIENT_SECRET:-""}
-      domain: ${OM_AUTH_AIRFLOW_AUTH0_DOMAIN_URL:-""}
-    customOidc:
-      clientId: ${OM_AUTH_AIRFLOW_CUSTOM_OIDC_CLIENT_ID:-""}
-      secretKey: ${OM_AUTH_AIRFLOW_CUSTOM_OIDC_SECRET_KEY_PATH:-""}
-      tokenEndpoint: ${OM_AUTH_AIRFLOW_CUSTOM_OIDC_TOKEN_ENDPOINT_URL:-""}
    openmetadata:
-      jwtToken: ${OM_AUTH_JWT_TOKEN:-""}
+      jwtToken: ${OM_AUTH_JWT_TOKEN:-"<JWT_TOKEN_FROM_UI_SETTINGS_BOTS>"}
 ```

-In the above configuration, configure `authProvider` to be "openmetadata" and configure `OM_AUTH_JWT_TOKEN` with the JWT
-token generated in the bots page.
+In the above configuration, you can see we configure `authProvider` to be "openmetadata" and `OM_AUTH_JWT_TOKEN` with the JWT token that was generated in the bots page.

 ### Using Ingestion Framework

--- a/openmetadata-docs/content/deployment/security/keycloak/docker.md
+++ b/openmetadata-docs/content/deployment/security/keycloak/docker.md
@ -38,7 +38,7 @@ OM_AUTH_AIRFLOW_CUSTOM_OIDC_SECRET_KEY={Secret Key} # Update with your Secret Ke
 OM_AUTH_AIRFLOW_CUSTOM_OIDC_TOKEN_ENDPOINT_URL="http://localhost:8081/realms/data-sec/protocol/openid-connect/token"
 ```

-### 1.1 After 0.12.1
+### 1.2 After 0.12.1

 ```shell
 # OpenMetadata Server Authentication Configuration
@ -56,6 +56,23 @@ AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```

+### 1.3 After 0.13.0
+
+```shell
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin-user]  # Your `name` from name@domain.com
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=custom-oidc
+CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME=KeyCloak
+AUTHENTICATION_PUBLIC_KEYS=[{http://localhost:8081/realms/data-sec/protocol/openid-connect/certs}]
+AUTHENTICATION_AUTHORITY={http://localhost:8081/realms/data-sec}
+AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.

--- a/openmetadata-docs/content/deployment/security/okta/docker.md
+++ b/openmetadata-docs/content/deployment/security/okta/docker.md
@ -58,6 +58,22 @@ AUTHENTICATION_CLIENT_ID={CLIENT_ID - SPA APP} # Update with your Client ID
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```

+### 1.3 After 0.13.0
+
+```shell
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=okta
+AUTHENTICATION_PUBLIC_KEYS={ISSUER_URL}/v1/keys # Update with your Issuer URL
+AUTHENTICATION_AUTHORITY={ISSUER_URL} # Update with your Issuer URL
+AUTHENTICATION_CLIENT_ID={CLIENT_ID - SPA APP} # Update with your Client ID
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.

--- a/openmetadata-docs/content/deployment/security/okta/kubernetes.md
+++ b/openmetadata-docs/content/deployment/security/okta/kubernetes.md
@ -66,5 +66,25 @@ global:
    callbackUrl: "http://localhost:8585/callback"
 ```

+### After 0.13.0
+
+```yaml
+global:
+  authorizer:
+    className: "org.openmetadata.service.security.DefaultAuthorizer"
+    containerRequestFilter: "org.openmetadata.service.security.JwtFilter"
+    initialAdmins:
+      - "user1"
+      - "user2"
+    principalDomain: "open-metadata.org"
+  authentication:
+    provider: "okta"
+    publicKeys:
+      - "{ISSUER_URL}/v1/keys"
+    authority: "{ISSUER_URL}"
+    clientId: "{CLIENT_ID - SPA APP}"
+    callbackUrl: "http://localhost:8585/callback"
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.
--- a/openmetadata-docs/content/deployment/security/one-login/docker.md
+++ b/openmetadata-docs/content/deployment/security/one-login/docker.md
@ -54,6 +54,22 @@ AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
 AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
 ```

+### 1.3 After 0.13.0
+
+```shell
+# OpenMetadata Server Authentication Configuration
+AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
+AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
+AUTHORIZER_ADMIN_PRINCIPALS=[admin]  # Your `name` from name@domain.com
+AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain
+
+AUTHENTICATION_PROVIDER=custom-oidc
+AUTHENTICATION_PUBLIC_KEYS={public key url} # Update with your Public Key URL
+AUTHENTICATION_AUTHORITY={issuer url} # Update with your Issuer URL
+AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID
+AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
+```
+
 **Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
 ingesting data from Airflow.

--- a/openmetadata-docs/content/deployment/upgrade/versions/012-to-013.md
+++ b/openmetadata-docs/content/deployment/upgrade/versions/012-to-013.md
@ -10,6 +10,9 @@ Upgrading from 0.12 to 0.13 can be done directly on your instances. This page wi

 ## Highlights

+### Deprecating botPrincipals from OpenMetadata Configuration
+
+Starting with `0.13.0`, we have deprecated the initial configurations for Authorizer Bot Pincipals. This means that all the configs will be taken care from UI once it's up and running under settings >> bots section. The default once available and enabled will be `ingestion-bot` which will have JWT Token configured. You can edit the same for configuring service principals instead of using the default JWT Auth mechanism. For more information on configuring Bots, you can visit [Enable Security](/deployment/security).

 ### Service Connection Updates