yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-07-14 04:29:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenMetadata/openmetadata-docs/content/deployment/security/azure/index.md
Pere Miquel Brull 7140b344d0
Docs migration - Deployment and upgrades (#5984) 
Docs migration - Deployment and upgrades (#5984)
2022-07-09 20:31:41 +02:00

6.9 KiB
Raw Blame History

title slug
Azure SSO /deployment/security/azure

Azure SSO

Follow the sections in this guide to set up Azure SSO.

Step 1: Login to Azure Active Directory

Admin permissions are required to register the application on the Azure portal.

Step 2: Create a New Application

  • From the Azure Active Directory, navigate to the App Registrations section from the left nav bar.
create-app
  • Click on New Registration. This step is for registering the OpenMetadata UI.
create-app
  • Provide an Application Name for registration.
  • Provide a redirect URL as a Single Page Application.
  • Click on Register.
create-app

Step 3: Where to Find the Credentials

  • The Client ID and the Tenant ID are displayed in the Overview section of the registered application.
create-app
  • When passing the details for authority, the Tenant ID is added to the URL as shown in the example below. https://login.microsoftonline.com/TenantID
"authority": "https://login.microsoftonline.com/c11234b7c-b1b2-9854-0mn1-56abh3dea295"

Step 1: Access Tokens and ID Tokens

  • Navigate to the newly registered application.
  • Click on the Authentication section.
  • Select the checkboxes for Access Token and ID Tokens.
  • Click Save.
access-tokens

Step 2: Expose an API

  • Navigate to the section Expose an API.
expose-api
  • Set the App ID URI. If it has not been set, the default value is api://<client_id>.
  • Click Save.
expose-api

Step 3: Add a Scope

  • Click on Add a Scope.
  • Enter the details with a custom scope name to expose.
  • Once completed, click on Add Scope.
add-scope

Step 4: Register Another Azure Application

Another Azure Application must be registered for Service ingestion.

  • Provide an application name.
  • Create a public client redirect URI.
  • Click on Register.
add-app

Step 5: API Permissions

  • Navigate to the Ingestion Application created in step 4.
  • Navigate to the section on API Permissions.
  • Click on Add a Permission.
api-permissions
  • Click on Add a Permission.
api-permissions
  • Select the custom scope created in Step 3.
  • Click on Add Permissions.
api-permissions

Step 6: Grant Admin Consent for Default Directory

Open Metadata Ingestion authenticates and authorizes workflow connectivity with OpenMetadata API using OAuth2 Client Credentials grant. In the Client Credentials flow, there is no GUI to consent application permissions since its a machine to machine communication. So OpenMetadata Ingestion Azure Application will need to be pre-consented by Azure Active Directory to use the scope request to connect to OpenMetadata Azure Application via the application access scope.

  • Navigate to the Azure Active Directory >> Enterprise Application.
  • Navigate to the ingestion application created in step 4. This is also called the Service Principal.
  • Click on Permissions.
  • Click on Grant Admin Consent for Default Directory.
admin-consent

Step 7: Set the App ID URI

  • Navigate to the Azure Active Directory >> App Registrations >> [OpenMetadata Ingestion Application] >> Expose an API.
  • Click on Set in Application ID URI
app-id
  • Click on Save to set the App ID URI which is required for scopes while connecting from manual ingestion.
app-id

Step 8: Create a Client Secret

  • Navigate to Certificates & Secrets to generate the clientSecret.
  • Click on New Client Secret.
client-secret
  • Enter a description and an expiry period.
client-secret
  • The secret_key is required for ingestion.

Step 9: Note down the clientId and Authority

  • clientID: The Application (Client) ID is displayed in the Overview section of the registered application.
  • authority: When passing the details for authority, the Tenant ID is added to the URL as shown below. https://login.microsoftonline.com/TenantID
  • clientSecret: The clientSecret can be accessed from the Certificates & secret section of the application.

This information is required to configure Airflow.

client-id-authority

After the applying these steps, you can update the configuration of your deployment:

Configure Azure SSO for your Docker Deployment. Configure Azure SSO for your Bare Metal Deployment. Configure Azure SSO for your Kubernetes Deployment.

Configure Ingestion

After everything has been set up, you will need to configure your workflows if you are running them via the metadata CLI or with any custom scheduler.

When setting up the YAML config for the connector, update the workflowConfig as follows:

workflowConfig:
  openMetadataServerConfig:
    hostPort: 'http://localhost:8585/api'
    authProvider: azure
    securityConfig:
      clientSecret: '{your_client_secret}'
      authority: '{your_authority_url}'
      clientId: '{your_client_id}'
      scopes:
        - your_scopes