Mohit Yadav 51559c590b
Added Ldap Authentication Documentation (#8804)
* Adding Basic Auth Document

* Updated with review Comments

* Updated with review Comments

* Fixed alignment issues

* Added Ldap Authentication Doc

* Type Fix

* Review comment fix
2022-11-16 17:06:16 +05:30

5.0 KiB

title slug
Basic Authentication /deployment/security/basic-auth

UserName/Password Login

Out of the box, OpenMetadata comes with a Username & Password Login Mechanism.

The default Username and Password for Login are:

Username - admin
Password - admin

Setting up Basic Auth Manually

Below are the required steps to set up the Basic Login:

Set up Configurations in openmetadata.yaml

Authentication Configuration

  • The following configuration controls the auth mechanism for OpenMetadata. Update the mentioned fields as required.
authenticationConfiguration:
  provider: ${AUTHENTICATION_PROVIDER:-basic}
  publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/config/jwks]}
  authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com}
  enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}

For the Basic auth we need to set:

  • provider -> basic

  • publicKeyUrls -> {http|https}://{your_domain}:{port}}/api/v1/config/jwks

  • authority -> {your_domain}

  • enableSelfSignup -> This flag indicates if users can come and signup by themselves on the OM

Authorizer Configuration

  • This configuration controls the authorizer for OpenMetadata:
authorizerConfiguration:
  adminPrincipals: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]}
  allowedEmailRegistrationDomains: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]}
  principalDomain: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"openmetadata.org"}

For the Basic auth we need to set:

  • adminPrincipals -> admin usernames to bootstrap the server with, comma-separated values

  • allowedEmailRegistrationDomains -> This controls what all domain are allowed for email registration can be your {princialDomain} as well, for example gmail.com, outlook.comm etc.

  • principalDomain -> This controls what all domain are allowed for email registration, for example gmail.com, outlook.comm etc.

Please note the following are the formats to bootstrap admins on server startup:

[admin1,admin2,admin3]

  • This works for SMTP-enabled servers, Login Password for these are generated randomly and sent to the mail {adminName}@{principalDomain}. If SMTP is not enabled for OpenMetadata, please use the below method to create admin users.

[admin1:password1,admin2:password2,admin3:[password3]]

  • This allows to bootstrap the server with given password, later on can be changed by specific users by visiting profile page.

Jwt Configuration

  • Please note that the JWT Configuration is mandatory to work with UserName/Password Login.
jwtTokenConfiguration:
rsapublicKeyFilePath: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"}
rsaprivateKeyFilePath: ${RSA_PRIVATE_KEY_FILE_PATH:-"./conf/private_key.der"}
jwtissuer: ${JWT_ISSUER:-"open-metadata.org"}
keyId: ${JWT_KEY_ID:-"Gb389a-9f76-gdjs-a92j-0242bk94356"}

By default, the jwtTokenConfiguration is shipped with OM.

For Local/Testing Deployment

  • You can work with the existing configuration or generate private/public keys.

For Production Deployment

  • It is a MUST to update the JWT configuration. The following steps can be used.

  • Generating Private/Public Keys

openssl genrsa -out private_key.pem 2048   
openssl pkcs8 -topk8 -inform PEM -outform DER -in private_key.pem -out private_key.der -nocrypt
openssl rsa -in private_key.pem -pubout -outform DER -out public_key.der 

Update below with path of above generated private_key.der and public_key.der.

rsapublicKeyFilePath: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"}
rsaprivateKeyFilePath: ${RSA_PRIVATE_KEY_FILE_PATH:-"./conf/private_key.der"}

Jwt Issuer can be your principalDomain

jwtissuer: ${JWT_ISSUER:-"open-metadata.org"}

The KeyID is a randomly generated UUID string. Use any UUID generator to get a new KeyID.

keyId: ${JWT_KEY_ID:-"Gb389a-9f76-gdjs-a92j-0242bk94356"}

Setting up SMTP Server

  • Basic Authentication is successfully set. For a better login experience, we can also set up the SMTP server to allow the users to Reset Password, Account Status Updates etc. as well.
email:
  emailingEntity: ${OM_EMAIL_ENTITY:-"OpenMetadata"} -> Company Name (Optional)
  supportUrl: ${OM_SUPPORT_URL:-"https://slack.open-metadata.org"} -> SupportUrl (Optional)
  enableSmtpServer : ${AUTHORIZER_ENABLE_SMTP:-false} -> True/False
  openMetadataUrl: ${OPENMETADATA_SERVER_URL:-""} -> {http/https}://{your_domain}
  serverEndpoint: ${SMTP_SERVER_ENDPOINT:-""} -> (Ex :- smtp.gmail.com)
  serverPort: ${SMTP_SERVER_PORT:-""} -> (SSL/TLS port)
  username: ${SMTP_SERVER_USERNAME:-""} -> (SMTP Server Username)
  password: ${SMTP_SERVER_PWD:-""} -> (SMTP Server Password)
  transportationStrategy: ${SMTP_SERVER_STRATEGY:-"SMTP_TLS"}
  • Following are valid value for transportation Strategy

    SMTP -> IF SMTP port is 25 use this

    SMTPS -> IF SMTP port is 465 use this

    SMTP_TLS -> IF SMTP port is 587 use this