yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-07-17 22:21:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenMetadata/openmetadata-docs/content/deployment/security/keycloak/index.md
Nahuel bd78ae28ac
Fix Keycloak documentation (#8149)
2022-10-14 17:37:44 +02:00

4.1 KiB
Raw Blame History

title slug
Keycloak SSO /deployment/security/keycloak

Keycloak SSO

Follow the sections in this guide to set up Keycloak SSO.

Create Server Credentials

Step 1: Access the Keycloak Admin Console

login-page
  • Enter the username and password you created.

Step 2: Change Realm selected

  • The Keycloak use Realms as the primary form of organization, we can't use the realm "master" for new clients (apps), only for administration, so change for your specific realm or create a new.
  • In this example we are used an existing one called "Data-sec".
change-realm

Step 3: Create OpenMetadata as a new Client

  • Click on Clients in the menu.
  • Click on Create button.
  • Enter the Client ID and Protocol as the image.
  • Click on Save button.
add-client

Step 4: Edit settings of the client

  • Change "Acess Type" value from "public" to "confidential".
  • Change "implicit flow" and "service accounts" to enabled.
edit-settings-client
  • At the bottom of the same settings page, change the configurations to the openmetadata address.
  • The image below shows different possibilities, such as running locally or with a custom domain.
edit-settings-url.png
  • Click on Save button.

Step 5: Where to Find the Credentials

  • Navigate to the Credentials tab.
  • You will find your Client Secret related to the Client id "open-metadata"
client-credentials
  • Navigate to the Service Account Roles tab.
  • You will find your service account id related to the Client id "open-metadata"
client-service-account.png

After the applying these steps, the users in your realm are able to login in the openmetadata, as a suggestion create a user called "admin-user". Now you can update the configuration of your deployment:

Configure Keycloak SSO for your Docker Deployment. Configure Keycloak SSO for your Bare Metal Deployment. Configure Keycloak SSO for your Kubernetes Deployment.

Configure Ingestion

After everything has been set up, you will need to configure your workflows if you are running them via the metadata CLI or with any custom scheduler.

Note that KeyCloak SSO is a layer on top of Custom OIDC.

When setting up the YAML config for the connector, update the workflowConfig as follows:

workflowConfig:
  openMetadataServerConfig:
    hostPort: 'http://localhost:8585/api'
    authProvider: custom-oidc
    securityConfig:
      clientId: '{your_client_id}'
      secretKey: '{your_client_secret}'
      tokenEndpoint: '{your_token_endpoint}' # e.g. http://localhost:8081/realms/data-sec/protocol/openid-connect/token
A dockerized demo for showing how this SSO works with OpenMetadata can be found [here](https://github.com/open-metadata/openmetadata-demo/tree/main/keycloak-sso).