
* Adding Basic Auth Document * Updated with review Comments * Updated with review Comments * Fixed alignment issues * Added Ldap Authentication Doc * Type Fix * Review comment fix
5.0 KiB
title | slug |
---|---|
Basic Authentication | /deployment/security/basic-auth |
UserName/Password Login
Out of the box, OpenMetadata comes with a Username & Password Login Mechanism.
The default Username and Password for Login are:
Username - admin
Password - admin
Setting up Basic Auth Manually
Below are the required steps to set up the Basic Login:
Set up Configurations in openmetadata.yaml
Authentication Configuration
- The following configuration controls the auth mechanism for OpenMetadata. Update the mentioned fields as required.
authenticationConfiguration:
provider: ${AUTHENTICATION_PROVIDER:-basic}
publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/config/jwks]}
authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com}
enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
For the Basic auth we need to set:
-
provider -> basic
-
publicKeyUrls -> {http|https}://{your_domain}:{port}}/api/v1/config/jwks
-
authority -> {your_domain}
-
enableSelfSignup -> This flag indicates if users can come and signup by themselves on the OM
Authorizer Configuration
- This configuration controls the authorizer for OpenMetadata:
authorizerConfiguration:
adminPrincipals: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]}
allowedEmailRegistrationDomains: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]}
principalDomain: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"openmetadata.org"}
For the Basic auth we need to set:
-
adminPrincipals -> admin usernames to bootstrap the server with, comma-separated values
-
allowedEmailRegistrationDomains -> This controls what all domain are allowed for email registration can be your {princialDomain} as well, for example gmail.com, outlook.comm etc.
-
principalDomain -> This controls what all domain are allowed for email registration, for example gmail.com, outlook.comm etc.
Please note the following are the formats to bootstrap admins on server startup:
[admin1,admin2,admin3]
- This works for SMTP-enabled servers, Login Password for these are generated randomly and sent to the mail {adminName}@{principalDomain}. If SMTP is not enabled for OpenMetadata, please use the below method to create admin users.
[admin1:password1,admin2:password2,admin3:[password3]]
- This allows to bootstrap the server with given password, later on can be changed by specific users by visiting profile page.
Jwt Configuration
- Please note that the JWT Configuration is mandatory to work with UserName/Password Login.
jwtTokenConfiguration:
rsapublicKeyFilePath: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"}
rsaprivateKeyFilePath: ${RSA_PRIVATE_KEY_FILE_PATH:-"./conf/private_key.der"}
jwtissuer: ${JWT_ISSUER:-"open-metadata.org"}
keyId: ${JWT_KEY_ID:-"Gb389a-9f76-gdjs-a92j-0242bk94356"}
By default, the jwtTokenConfiguration
is shipped with OM.
For Local/Testing Deployment
- You can work with the existing configuration or generate private/public keys.
For Production Deployment
-
It is a MUST to update the JWT configuration. The following steps can be used.
-
Generating Private/Public Keys
openssl genrsa -out private_key.pem 2048
openssl pkcs8 -topk8 -inform PEM -outform DER -in private_key.pem -out private_key.der -nocrypt
openssl rsa -in private_key.pem -pubout -outform DER -out public_key.der
Update below with path of above generated private_key.der and public_key.der.
rsapublicKeyFilePath: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"}
rsaprivateKeyFilePath: ${RSA_PRIVATE_KEY_FILE_PATH:-"./conf/private_key.der"}
Jwt Issuer can be your principalDomain
jwtissuer: ${JWT_ISSUER:-"open-metadata.org"}
The KeyID
is a randomly generated UUID string. Use any UUID generator to get a new KeyID
.
keyId: ${JWT_KEY_ID:-"Gb389a-9f76-gdjs-a92j-0242bk94356"}
Setting up SMTP Server
- Basic Authentication is successfully set. For a better login experience, we can also set up the SMTP server to allow the users to Reset Password, Account Status Updates etc. as well.
email:
emailingEntity: ${OM_EMAIL_ENTITY:-"OpenMetadata"} -> Company Name (Optional)
supportUrl: ${OM_SUPPORT_URL:-"https://slack.open-metadata.org"} -> SupportUrl (Optional)
enableSmtpServer : ${AUTHORIZER_ENABLE_SMTP:-false} -> True/False
openMetadataUrl: ${OPENMETADATA_SERVER_URL:-""} -> {http/https}://{your_domain}
serverEndpoint: ${SMTP_SERVER_ENDPOINT:-""} -> (Ex :- smtp.gmail.com)
serverPort: ${SMTP_SERVER_PORT:-""} -> (SSL/TLS port)
username: ${SMTP_SERVER_USERNAME:-""} -> (SMTP Server Username)
password: ${SMTP_SERVER_PWD:-""} -> (SMTP Server Password)
transportationStrategy: ${SMTP_SERVER_STRATEGY:-"SMTP_TLS"}
-
Following are valid value for transportation Strategy
SMTP -> IF SMTP port is 25 use this
SMTPS -> IF SMTP port is 465 use this
SMTP_TLS -> IF SMTP port is 587 use this