yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-08-22 16:08:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Doc: Adding Docs for SAML Deployments (#16822)

Browse Source 
Co-authored-by: Prajwal Pandit <prajwalpandit@Prajwals-MacBook-Air.local>
This commit is contained in:
Prajwal214 2024-07-04 12:37:31 +05:30 committed by GitHub
parent 2a816ed812
commit ed496ce4fb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 341 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
openmetadata-docs/content/v1.4.x/deployment/security/saml/bare-metal.md Normal file
View File

@ -0,0 +1,53 @@
---
title: SAML SSO for Bare Metal
slug: /deployment/security/saml/bare-metal
---
# SAML SSO for Bare Metal
## Update conf/openmetadata.yaml
Follow this sections in this guide to set up Saml for almost any IDP. In Openmetadata the SAML configuration
are divided into the following three sections:-
- Identity Provide (IDP) Configuration
```yaml
idp:
entityId: ${SAML_IDP_ENTITY_ID:-"https://mocksaml.com/api/saml/sso"}
ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-"https://saml.example.com/entityid"}
idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""}
authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"}
nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}
```
- Service Provider (SP) Configuration (SP is Openmetadata)
```yaml
sp:
entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/metadata"}
acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"}
spX509Certificate: ${SAML_SP_CERTIFICATE:-""}
callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"}
```
- Security Config
```yaml
security:
strictMode: ${SAML_STRICT_MODE:-false}
tokenValidity: ${SAML_SP_TOKEN_VALIDITY:-"3600"}
sendEncryptedNameId: ${SAML_SEND_ENCRYPTED_NAME_ID:-false}
sendSignedAuthRequest: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false}
signSpMetadata: ${SAML_SIGNED_SP_METADATA:-false}
wantMessagesSigned: ${SAML_WANT_MESSAGE_SIGNED:-false}
wantAssertionsSigned: ${SAML_WANT_ASSERTION_SIGNED:-false}
wantAssertionEncrypted: ${SAML_WANT_ASSERTION_ENCRYPTED:-false}
wantNameIdEncrypted: ${SAML_WANT_NAME_ID_ENCRYPTED:-false}
keyStoreFilePath: ${SAML_KEYSTORE_FILE_PATH:-""}
keyStoreAlias: ${SAML_KEYSTORE_ALIAS:-""}
keyStorePassword: ${SAML_KEYSTORE_PASSWORD:-""}
```
{% partial file="/v1.4/deployment/configure-ingestion.md" /%}

58
openmetadata-docs/content/v1.4.x/deployment/security/saml/docker.md Normal file
View File

@ -0,0 +1,58 @@
---
title: SAML SSO for Docker
slug: /deployment/security/saml/docker
---
# Keycloak SSO for Docker
To enable security for the Docker deployment, follow the next steps:
## 1. Create an .env file
Create an `openmetadata_saml.env` file and add the following contents as an example. Use the information
generated when setting up the account.
The configuration below already uses the presets shown in the example of SAML configurations, you can change to yours.
{% note %}
If you are using an environment variable from an external file in our setup, and this environment variable is commented out in the `docker-compose` file, it will not be considered. To ensure it works, the commented section in the docker-compose file must be uncommented.
{% /note %}
```shell
# OpenMetadata Server IDP Configuration
SAML_IDP_ENTITY_ID=https://mocksaml.com/api/saml/sso
SAML_IDP_SSO_LOGIN_URL=https://saml.example.com/entityid
SAML_IDP_CERTIFICATE=/path/to/the/certificate
SAML_AUTHORITY_URL=http://localhost:8585/api/v1/saml/login
SAML_IDP_NAME_ID=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
# OpenMetadata Server SP Configuration
SAML_SP_ENTITY_ID=http://localhost:8585/api/v1/saml/metadata
SAML_SP_ACS=http://localhost:8585/api/v1/saml/acs
SAML_SP_CERTIFICATE=/path/to/the/certificate
SAML_SP_CALLBACK=http://localhost:8585/saml/callback
# OpenMetadata Server Security Configuration
SAML_STRICT_MODE=false
SAML_SP_TOKEN_VALIDITY=3600
SAML_SEND_ENCRYPTED_NAME_ID=false
SAML_SEND_SIGNED_AUTH_REQUEST=false
SAML_SIGNED_SP_METADATA=false
SAML_WANT_MESSAGE_SIGNED=false
SAML_WANT_ASSERTION_SIGNED=false
SAML_WANT_ASSERTION_ENCRYPTED=false
SAML_WANT_NAME_ID_ENCRYPTED=false
SAML_KEYSTORE_FILE_PATH=/path/to/keystore.jks
SAML_KEYSTORE_ALIAS=myKeystoreAlias
SAML_KEYSTORE_PASSWORD=myKeystorePassword
```
## 2. Start Docker
```commandline
docker compose --env-file ~/openmetadata_saml.env up -d
```
{% partial file="/v1.4/deployment/configure-ingestion.md" /%}

63
openmetadata-docs/content/v1.4.x/deployment/security/saml/index.md
View File

@ -13,48 +13,6 @@ Security requirements for your **production** environment:
{% /note %}
Follow this sections in this guide to set up Saml for almost any IDP. In Openmetadata the SAML configuration
are divided into the following three sections:-
- Identity Provide (IDP) Configuration
```yaml
idp:
entityId: ${SAML_IDP_ENTITY_ID:-"https://mocksaml.com/api/saml/sso"}
ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-"https://saml.example.com/entityid"}
idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""}
authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"}
nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}
```
- Service Provider (SP) Configuration (SP is Openmetadata)
```yaml
sp:
entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/metadata"}
acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"}
spX509Certificate: ${SAML_SP_CERTIFICATE:-""}
callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"}
```
- Security Config
```yaml
security:
strictMode: ${SAML_STRICT_MODE:-false}
tokenValidity: ${SAML_SP_TOKEN_VALIDITY:-"3600"}
sendEncryptedNameId: ${SAML_SEND_ENCRYPTED_NAME_ID:-false}
sendSignedAuthRequest: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false}
signSpMetadata: ${SAML_SIGNED_SP_METADATA:-false}
wantMessagesSigned: ${SAML_WANT_MESSAGE_SIGNED:-false}
wantAssertionsSigned: ${SAML_WANT_ASSERTION_SIGNED:-false}
wantAssertionEncrypted: ${SAML_WANT_ASSERTION_ENCRYPTED:-false}
wantNameIdEncrypted: ${SAML_WANT_NAME_ID_ENCRYPTED:-false}
keyStoreFilePath: ${SAML_KEYSTORE_FILE_PATH:-""}
keyStoreAlias: ${SAML_KEYSTORE_ALIAS:-""}
keyStorePassword: ${SAML_KEYSTORE_PASSWORD:-""}
```
## Configuring Identity Provider and Service Provider
### Identity Provide (IDP) Configuration
@ -122,6 +80,27 @@ More specific details on different IDPs can be found below:
href="/deployment/security/saml/aws" %}
Configure AWS as IDP.
{% /inlineCallout %}
{% inlineCallout
color="violet-70"
icon="celebration"
bold="Bare Metal Security"
href="/deployment/security/saml/bare-metal" %}
Configure SAML SSO for your Bare Metal Deployment
{% /inlineCallout %}
{% inlineCallout
color="violet-70"
icon="celebration"
bold="Docker Security"
href="/deployment/security/saml/docker" %}
Configure SAML SSO for your Docker Deployment.
{% /inlineCallout %}
{% inlineCallout
color="violet-70"
icon="celebration"
bold="Kubernetes Security"
href="/deployment/security/saml/kubernetes" %}
Configure SAML SSO for your Kubernetes Deployment.
{% /inlineCallout %}
{% /inlineCalloutContainer %}
{% partial file="/v1.4/deployment/configure-ingestion.md" /%}

43
openmetadata-docs/content/v1.4.x/deployment/security/saml/kubernetes.md Normal file
View File

@ -0,0 +1,43 @@
---
title: SAML SSO for Kubernetes
slug: /deployment/security/saml/kubernetes
---
# SAML SSO for Kubernetes
See the snippet below for an example of SAML configurations in the `values.yaml`.
The configuration below already uses the presets shown in the example of saml configurations, you can change to yours.
```yaml
openmetadata:
config:
idp:
entityId: ${SAML_IDP_ENTITY_ID:-"https://mocksaml.com/api/saml/sso"}
ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-"https://saml.example.com/entityid"}
idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""}
authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"}
nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}
sp:
entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/metadata"}
acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"}
spX509Certificate: ${SAML_SP_CERTIFICATE:-""}
callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"}
security:
strictMode: ${SAML_STRICT_MODE:-false}
tokenValidity: ${SAML_SP_TOKEN_VALIDITY:-"3600"}
sendEncryptedNameId: ${SAML_SEND_ENCRYPTED_NAME_ID:-false}
sendSignedAuthRequest: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false}
signSpMetadata: ${SAML_SIGNED_SP_METADATA:-false}
wantMessagesSigned: ${SAML_WANT_MESSAGE_SIGNED:-false}
wantAssertionsSigned: ${SAML_WANT_ASSERTION_SIGNED:-false}
wantAssertionEncrypted: ${SAML_WANT_ASSERTION_ENCRYPTED:-false}
wantNameIdEncrypted: ${SAML_WANT_NAME_ID_ENCRYPTED:-false}
keyStoreFilePath: ${SAML_KEYSTORE_FILE_PATH:-""}
keyStoreAlias: ${SAML_KEYSTORE_ALIAS:-""}
keyStorePassword: ${SAML_KEYSTORE_PASSWORD:-""}
```
{% partial file="/v1.4/deployment/configure-ingestion.md" /%}

6
openmetadata-docs/content/v1.4.x/menu.md
View File

@ -138,6 +138,12 @@ site_menu:
url: /deployment/security/keycloak/kubernetes
- category: Deployment / Enable Security / Saml
url: /deployment/security/saml
- category: Deployment / Enable Security / Saml / Docker
url: /deployment/security/saml/docker
- category: Deployment / Enable Security / Saml / Bare Metal
url: /deployment/security/saml/bare-metal
- category: Deployment / Enable Security / Saml / Kubernetes
url: /deployment/security/saml/kubernetes
- category: Deployment / Enable Security / Saml / AWS
url: /deployment/security/saml/aws
- category: Deployment / Enable Security / Enable SSL

53
openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/saml/bare-metal.md Normal file
View File

@ -0,0 +1,53 @@
---
title: SAML SSO for Bare Metal
slug: /deployment/security/saml/bare-metal
---
# SAML SSO for Bare Metal
## Update conf/openmetadata.yaml
Follow this sections in this guide to set up Saml for almost any IDP. In Openmetadata the SAML configuration
are divided into the following three sections:-
- Identity Provide (IDP) Configuration
```yaml
idp:
entityId: ${SAML_IDP_ENTITY_ID:-"https://mocksaml.com/api/saml/sso"}
ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-"https://saml.example.com/entityid"}
idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""}
authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"}
nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}
```
- Service Provider (SP) Configuration (SP is Openmetadata)
```yaml
sp:
entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/metadata"}
acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"}
spX509Certificate: ${SAML_SP_CERTIFICATE:-""}
callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"}
```
- Security Config
```yaml
security:
strictMode: ${SAML_STRICT_MODE:-false}
tokenValidity: ${SAML_SP_TOKEN_VALIDITY:-"3600"}
sendEncryptedNameId: ${SAML_SEND_ENCRYPTED_NAME_ID:-false}
sendSignedAuthRequest: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false}
signSpMetadata: ${SAML_SIGNED_SP_METADATA:-false}
wantMessagesSigned: ${SAML_WANT_MESSAGE_SIGNED:-false}
wantAssertionsSigned: ${SAML_WANT_ASSERTION_SIGNED:-false}
wantAssertionEncrypted: ${SAML_WANT_ASSERTION_ENCRYPTED:-false}
wantNameIdEncrypted: ${SAML_WANT_NAME_ID_ENCRYPTED:-false}
keyStoreFilePath: ${SAML_KEYSTORE_FILE_PATH:-""}
keyStoreAlias: ${SAML_KEYSTORE_ALIAS:-""}
keyStorePassword: ${SAML_KEYSTORE_PASSWORD:-""}
```
{% partial file="/v1.4/deployment/configure-ingestion.md" /%}

58
openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/saml/docker.md Normal file
View File

@ -0,0 +1,58 @@
---
title: SAML SSO for Docker
slug: /deployment/security/saml/docker
---
# Keycloak SSO for Docker
To enable security for the Docker deployment, follow the next steps:
## 1. Create an .env file
Create an `openmetadata_saml.env` file and add the following contents as an example. Use the information
generated when setting up the account.
The configuration below already uses the presets shown in the example of SAML configurations, you can change to yours.
{% note %}
If you are using an environment variable from an external file in our setup, and this environment variable is commented out in the `docker-compose` file, it will not be considered. To ensure it works, the commented section in the docker-compose file must be uncommented.
{% /note %}
```shell
# OpenMetadata Server IDP Configuration
SAML_IDP_ENTITY_ID=https://mocksaml.com/api/saml/sso
SAML_IDP_SSO_LOGIN_URL=https://saml.example.com/entityid
SAML_IDP_CERTIFICATE=/path/to/the/certificate
SAML_AUTHORITY_URL=http://localhost:8585/api/v1/saml/login
SAML_IDP_NAME_ID=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
# OpenMetadata Server SP Configuration
SAML_SP_ENTITY_ID=http://localhost:8585/api/v1/saml/metadata
SAML_SP_ACS=http://localhost:8585/api/v1/saml/acs
SAML_SP_CERTIFICATE=/path/to/the/certificate
SAML_SP_CALLBACK=http://localhost:8585/saml/callback
# OpenMetadata Server Security Configuration
SAML_STRICT_MODE=false
SAML_SP_TOKEN_VALIDITY=3600
SAML_SEND_ENCRYPTED_NAME_ID=false
SAML_SEND_SIGNED_AUTH_REQUEST=false
SAML_SIGNED_SP_METADATA=false
SAML_WANT_MESSAGE_SIGNED=false
SAML_WANT_ASSERTION_SIGNED=false
SAML_WANT_ASSERTION_ENCRYPTED=false
SAML_WANT_NAME_ID_ENCRYPTED=false
SAML_KEYSTORE_FILE_PATH=/path/to/keystore.jks
SAML_KEYSTORE_ALIAS=myKeystoreAlias
SAML_KEYSTORE_PASSWORD=myKeystorePassword
```
## 2. Start Docker
```commandline
docker compose --env-file ~/openmetadata_saml.env up -d
```
{% partial file="/v1.4/deployment/configure-ingestion.md" /%}

42
openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/saml/index.md
View File

@ -13,48 +13,6 @@ Security requirements for your **production** environment:
{% /note %}
Follow this sections in this guide to set up Saml for almost any IDP. In Openmetadata the SAML configuration
are divided into the following three sections:-
- Identity Provide (IDP) Configuration
```yaml
idp:
entityId: ${SAML_IDP_ENTITY_ID:-"https://mocksaml.com/api/saml/sso"}
ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-"https://saml.example.com/entityid"}
idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""}
authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"}
nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}
```
- Service Provider (SP) Configuration (SP is Openmetadata)
```yaml
sp:
entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/metadata"}
acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"}
spX509Certificate: ${SAML_SP_CERTIFICATE:-""}
callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"}
```
- Security Config
```yaml
security:
strictMode: ${SAML_STRICT_MODE:-false}
tokenValidity: ${SAML_SP_TOKEN_VALIDITY:-"3600"}
sendEncryptedNameId: ${SAML_SEND_ENCRYPTED_NAME_ID:-false}
sendSignedAuthRequest: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false}
signSpMetadata: ${SAML_SIGNED_SP_METADATA:-false}
wantMessagesSigned: ${SAML_WANT_MESSAGE_SIGNED:-false}
wantAssertionsSigned: ${SAML_WANT_ASSERTION_SIGNED:-false}
wantAssertionEncrypted: ${SAML_WANT_ASSERTION_ENCRYPTED:-false}
wantNameIdEncrypted: ${SAML_WANT_NAME_ID_ENCRYPTED:-false}
keyStoreFilePath: ${SAML_KEYSTORE_FILE_PATH:-""}
keyStoreAlias: ${SAML_KEYSTORE_ALIAS:-""}
keyStorePassword: ${SAML_KEYSTORE_PASSWORD:-""}
```
## Configuring Identity Provider and Service Provider
### Identity Provide (IDP) Configuration

43
openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/saml/kubernetes.md Normal file
View File

@ -0,0 +1,43 @@
---
title: SAML SSO for Kubernetes
slug: /deployment/security/saml/kubernetes
---
# SAML SSO for Kubernetes
See the snippet below for an example of SAML configurations in the `values.yaml`.
The configuration below already uses the presets shown in the example of saml configurations, you can change to yours.
```yaml
openmetadata:
config:
idp:
entityId: ${SAML_IDP_ENTITY_ID:-"https://mocksaml.com/api/saml/sso"}
ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-"https://saml.example.com/entityid"}
idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""}
authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"}
nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}
sp:
entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/metadata"}
acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"}
spX509Certificate: ${SAML_SP_CERTIFICATE:-""}
callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"}
security:
strictMode: ${SAML_STRICT_MODE:-false}
tokenValidity: ${SAML_SP_TOKEN_VALIDITY:-"3600"}
sendEncryptedNameId: ${SAML_SEND_ENCRYPTED_NAME_ID:-false}
sendSignedAuthRequest: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false}
signSpMetadata: ${SAML_SIGNED_SP_METADATA:-false}
wantMessagesSigned: ${SAML_WANT_MESSAGE_SIGNED:-false}
wantAssertionsSigned: ${SAML_WANT_ASSERTION_SIGNED:-false}
wantAssertionEncrypted: ${SAML_WANT_ASSERTION_ENCRYPTED:-false}
wantNameIdEncrypted: ${SAML_WANT_NAME_ID_ENCRYPTED:-false}
keyStoreFilePath: ${SAML_KEYSTORE_FILE_PATH:-""}
keyStoreAlias: ${SAML_KEYSTORE_ALIAS:-""}
keyStorePassword: ${SAML_KEYSTORE_PASSWORD:-""}
```
{% partial file="/v1.4/deployment/configure-ingestion.md" /%}

6
openmetadata-docs/content/v1.5.x-SNAPSHOT/menu.md
View File

@ -141,6 +141,12 @@ site_menu:
url: /deployment/security/saml
- category: Deployment / Enable Security / Saml / AWS
url: /deployment/security/saml/aws
- category: Deployment / Enable Security / Saml / Docker
url: /deployment/security/saml/docker
- category: Deployment / Enable Security / Saml / Bare Metal
url: /deployment/security/saml/bare-metal
- category: Deployment / Enable Security / Saml / Kubernetes
url: /deployment/security/saml/kubernetes
- category: Deployment / Enable Security / Enable SSL
url: /deployment/security/enable-ssl
- category: Deployment / Enable Security / Enable SSL / Use Nginx