yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-07-13 20:18:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenMetadata/openmetadata-docs/content/deployment/security/google/kubernetes.md

3.0 KiB
Raw Blame History

title slug
Google SSO for Kubernetes /deployment/security/google/kubernetes

Google SSO for Kubernetes

Check the Helm information here.

Once the Client Id and Client Secret are generated, see the snippet below for an example of where to place the client id value and update the authorizer configurations in the values.yaml.

Before 0.12.1

global:
  authorizer:
    className: "org.openmetadata.catalog.security.DefaultAuthorizer"
    containerRequestFilter: "org.openmetadata.catalog.security.JwtFilter"
    initialAdmins:
      - "user1"
      - "user2"
    botPrincipals:
      - "<service_application_client_id>"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "google"
    publicKeys:
      - "https://www.googleapis.com/oauth2/v3/certs"
    authority: "https://accounts.google.com"
    clientId: "{client id}"
    callbackUrl: "http://localhost:8585/callback"
  airflow:
    openmetadata:
      authProvider: "google"
      google:
        # absolute path of secret file on airflow instance
        secretKeyPath: ""
        audience: "https://www.googleapis.com/oauth2/v4/token"

After 0.12.1

global:
  authorizer:
    className: "org.openmetadata.catalog.security.DefaultAuthorizer"
    containerRequestFilter: "org.openmetadata.catalog.security.JwtFilter"
    initialAdmins:
      - "user1"
      - "user2"
    botPrincipals:
      - "<service_application_client_id>"
    principalDomain: "open-metadata.org"
  authentication:
    provider: "google"
    publicKeys:
      - "https://www.googleapis.com/oauth2/v3/certs"
    authority: "https://accounts.google.com"
    clientId: "{client id}"
    callbackUrl: "http://localhost:8585/callback"

Set up the ingestion-bot

In 0.12.1, we must set up the ingestion-bot from UI from Settings > Bots.

  • Click on ingestion-bot
click-bot
  • Select Google SSO from the list.
select-google-sso
  • Configure it with your SSO values. Ensure that the account email of your SSO matches the one of the bot.
configure-bot

Note:

  1. JWT Token auth mechanism

If you decide to configure a JWT Token for the authentication mechanism ensure that you have also the value http://localhost:8585/api/v1/config/jwks in your publicKeys list:

global:
  authentication:
    publicKeys:
      - "https://www.googleapis.com/oauth2/v3/certs"
      - "http://localhost:8585/api/v1/config/jwks"
  1. Redeploying ingestion pipelines

When the ingestion-bot is updated, we must redeploy our ingestion pipelines since the credentials used by the bot have been updated, and they will no longer be valid.