OpenMetadata/conf/openmetadata.yaml

#  Copyright 2021 Collate
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#  http://www.apache.org/licenses/LICENSE-2.0
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.

clusterName: ${OPENMETADATA_CLUSTER_NAME:-openmetadata}

swagger:
  resourcePackage: org.openmetadata.service.resources


server:
  rootPath: '/api/*'
  applicationConnectors:
    - type: http
      port: ${SERVER_PORT:-8585}
  adminConnectors:
    - type: http
      port: ${SERVER_ADMIN_PORT:-8586}

# Above configuration for running http is fine for dev and testing.
# For production setup, where UI app will hit apis through DPS it
# is strongly recommended to run https instead. Note that only
# keyStorePath and keyStorePassword are mandatory properties. Values
# for other properties are defaults
#server:
  #applicationConnectors:
  #  - type: https
  #    port: 8585
  #    keyStorePath: ./conf/keystore.jks
  #    keyStorePassword: changeit
  #    keyStoreType: JKS
  #    keyStoreProvider:
  #    trustStorePath: /path/to/file
  #    trustStorePassword: changeit
  #    trustStoreType: JKS
  #    trustStoreProvider:
  #    keyManagerPassword: changeit
  #    needClientAuth: false
  #    wantClientAuth:
  #    certAlias: <alias>
  #    crlPath: /path/to/file
  #    enableCRLDP: false
  #    enableOCSP: false
  #    maxCertPathLength: (unlimited)
  #    ocspResponderUrl: (none)
  #    jceProvider: (none)
  #    validateCerts: true
  #    validatePeers: true
  #    supportedProtocols: SSLv3
  #    supportedCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  #    allowRenegotiation: true
  #    endpointIdentificationAlgorithm: (none)

  #adminConnectors:
  #  - type: https
  #    port: 8586
  #    keyStorePath: ./conf/keystore.jks
  #    keyStorePassword: changeit
  #    keyStoreType: JKS
  #    keyStoreProvider:
  #    trustStorePath: /path/to/file
  #    trustStorePassword: changeit
  #    trustStoreType: JKS
  #    trustStoreProvider:
  #    keyManagerPassword: changeit
  #    needClientAuth: false
  #    wantClientAuth:
  #    certAlias: <alias>
  #    crlPath: /path/to/file
  #    enableCRLDP: false
  #    enableOCSP: false
  #    maxCertPathLength: (unlimited)
  #    ocspResponderUrl: (none)
  #    jceProvider: (none)
  #    validateCerts: true
  #    validatePeers: true
  #    supportedProtocols: SSLv3
  #    supportedCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  #    allowRenegotiation: true
  #    endpointIdentificationAlgorithm: (none)

# Logging settings.
# https://logback.qos.ch/manual/layouts.html#conversionWord
logging:
  level: ${LOG_LEVEL:-INFO}
  loggers:
    org.openmetadata.service.util.OpenMetadataSetup:
      level: INFO
      appenders:
        - type: console
          logFormat: "%msg%n"
          timeZone: UTC
        - type: file
          logFormat: "%level [%d{ISO8601,UTC}] [%t] %logger{5} - %msg%n"
          layout:
            type: json
          currentLogFilename: ./logs/openmetadata-operations.log
          archivedLogFilenamePattern: ./logs/openmetadata-operations-%d{yyyy-MM-dd}-%i.log.gz
          archivedFileCount: 7
          timeZone: UTC
          maxFileSize: 50MB
  appenders:
    - type: console
      threshold: TRACE
      logFormat: "%level [%d{ISO8601,UTC}] [%t] %logger{5} - %msg%n"
      timeZone: UTC
    - type: file
      layout:
        type: json
        appendLineSeparator: true
      filterFactories:
        - type: audit-exclude-filter-factory
      threshold: TRACE
      logFormat: "%level [%d{ISO8601,UTC}] [%t] %logger{5} - %msg%n"
      currentLogFilename: ./logs/openmetadata.log
      archivedLogFilenamePattern: ./logs/openmetadata-%d{yyyy-MM-dd}-%i.log.gz
      archivedFileCount: 7
      timeZone: UTC
      maxFileSize: 50MB
    - type: file
      layout:
        type: json
        appendLineSeparator: true
      filterFactories:
        - type: audit-only-filter-factory
      threshold: TRACE
      logFormat: "%level [%d{ISO8601,UTC}] [%t] %logger{5} - %msg%n"
      currentLogFilename: ./logs/audit.log
      archivedLogFilenamePattern: ./logs/audit-%d{yyyy-MM-dd}-%i.log.gz
      archivedFileCount: 25
      timeZone: UTC
      maxFileSize: 50MB

database:
  # the name of the JDBC driver, mysql in our case
  driverClass: ${DB_DRIVER_CLASS:-com.mysql.cj.jdbc.Driver}
  # the username and password
  user: ${DB_USER:-openmetadata_user}
  password: ${DB_USER_PASSWORD:-openmetadata_password}
  # the JDBC URL; the database is called openmetadata_db
  url: jdbc:${DB_SCHEME:-mysql}://${DB_HOST:-localhost}:${DB_PORT:-3306}/${OM_DATABASE:-openmetadata_db}?${DB_PARAMS:-allowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC}

migrationConfiguration:
  flywayPath: "./bootstrap/sql/migrations/flyway"
  nativePath: "./bootstrap/sql/migrations/native"
  extensionPath: ""

# Authorizer Configuration
authorizerConfiguration:
  className: ${AUTHORIZER_CLASS_NAME:-org.openmetadata.service.security.DefaultAuthorizer}
  containerRequestFilter: ${AUTHORIZER_REQUEST_FILTER:-org.openmetadata.service.security.JwtFilter}
  adminPrincipals: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]}
  allowedEmailRegistrationDomains: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]}
  principalDomain: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"openmetadata.org"}
  enforcePrincipalDomain: ${AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN:-false}
  enableSecureSocketConnection : ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false}
  useRolesFromProvider: ${AUTHORIZER_USE_ROLES_FROM_PROVIDER:-false}

authenticationConfiguration:
  clientType: ${AUTHENTICATION_CLIENT_TYPE:-public}
  provider: ${AUTHENTICATION_PROVIDER:-basic}
  # This is used by auth provider provide response as either id_token or code
  responseType: ${AUTHENTICATION_RESPONSE_TYPE:-id_token}
  # This will only be valid when provider type specified is customOidc
  providerName: ${CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME:-""}
  publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]}
  authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com}
  clientId: ${AUTHENTICATION_CLIENT_ID:-""}
  callbackUrl: ${AUTHENTICATION_CALLBACK_URL:-""}
  jwtPrincipalClaims: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
  jwtPrincipalClaimsMapping: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING:-[]}
  enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
  oidcConfiguration:
    id: ${OIDC_CLIENT_ID:-""}
    type: ${OIDC_TYPE:-""} # google, azure etc.
    secret: ${OIDC_CLIENT_SECRET:-""}
    scope: ${OIDC_SCOPE:-"openid email profile"}
    discoveryUri: ${OIDC_DISCOVERY_URI:-""}
    useNonce: ${OIDC_USE_NONCE:-true}
    preferredJwsAlgorithm: ${OIDC_PREFERRED_JWS:-"RS256"}
    responseType: ${OIDC_RESPONSE_TYPE:-"code"}
    disablePkce: ${OIDC_DISABLE_PKCE:-true}
    callbackUrl: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
    serverUrl: ${OIDC_SERVER_URL:-"http://localhost:8585"}
    clientAuthenticationMethod: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
    tenant: ${OIDC_TENANT:-""}
    maxClockSkew: ${OIDC_MAX_CLOCK_SKEW:-""}
    customParams: ${OIDC_CUSTOM_PARAMS:-}
  samlConfiguration:
    debugMode: ${SAML_DEBUG_MODE:-false}
    idp:
      entityId: ${SAML_IDP_ENTITY_ID:-""}
      ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-""}
      idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""}
      authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"}
      nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"}
    sp:
      entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/metadata"}
      acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"}
      spX509Certificate: ${SAML_SP_CERTIFICATE:-""}
      callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"}
    security:
      strictMode: ${SAML_STRICT_MODE:-false}
      tokenValidity: ${SAML_SP_TOKEN_VALIDITY:-"3600"}
      sendEncryptedNameId: ${SAML_SEND_ENCRYPTED_NAME_ID:-false}
      sendSignedAuthRequest: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false}
      signSpMetadata: ${SAML_SIGNED_SP_METADATA:-false}
      wantMessagesSigned: ${SAML_WANT_MESSAGE_SIGNED:-false}
      wantAssertionsSigned: ${SAML_WANT_ASSERTION_SIGNED:-false}
      wantAssertionEncrypted: ${SAML_WANT_ASSERTION_ENCRYPTED:-false}
      wantNameIdEncrypted: ${SAML_WANT_NAME_ID_ENCRYPTED:-false}
      keyStoreFilePath: ${SAML_KEYSTORE_FILE_PATH:-""}
      keyStoreAlias: ${SAML_KEYSTORE_ALIAS:-""}
      keyStorePassword: ${SAML_KEYSTORE_PASSWORD:-""}
  ldapConfiguration:
    host: ${AUTHENTICATION_LDAP_HOST:-}
    port: ${AUTHENTICATION_LDAP_PORT:-}
    dnAdminPrincipal: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-""}
    dnAdminPassword: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-""}
    userBaseDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-""}
    groupBaseDN: ${AUTHENTICATION_GROUP_LOOKUP_BASEDN:-""}
    roleAdminName: ${AUTHENTICATION_USER_ROLE_ADMIN_NAME:-}
    allAttributeName: ${AUTHENTICATION_USER_ALL_ATTR:-}
    mailAttributeName: ${AUTHENTICATION_USER_MAIL_ATTR:-}
    usernameAttributeName: ${AUTHENTICATION_USER_NAME_ATTR:-}
    groupAttributeName: ${AUTHENTICATION_USER_GROUP_ATTR:-}
    groupAttributeValue: ${AUTHENTICATION_USER_GROUP_ATTR_VALUE:-}
    groupMemberAttributeName: ${AUTHENTICATION_USER_GROUP_MEMBER_ATTR:-}
    #the mapping of roles to LDAP groups
    authRolesMapping: ${AUTH_ROLES_MAPPING:-""}
    authReassignRoles: ${AUTH_REASSIGN_ROLES:-[]}
    #optional
    maxPoolSize: ${AUTHENTICATION_LDAP_POOL_SIZE:-3}
    sslEnabled: ${AUTHENTICATION_LDAP_SSL_ENABLED:-}
    truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll}
    trustStoreConfig:
      customTrustManagerConfig:
        trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-}
        trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-}
        trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-}
        verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
        examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-}
      hostNameConfig:
        allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-}
        acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]}
      jvmDefaultConfig:
        verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
      trustAllConfig:
        examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}

jwtTokenConfiguration:
  rsapublicKeyFilePath: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"}
  rsaprivateKeyFilePath: ${RSA_PRIVATE_KEY_FILE_PATH:-"./conf/private_key.der"}
  jwtissuer: ${JWT_ISSUER:-"open-metadata.org"}
  keyId: ${JWT_KEY_ID:-"Gb389a-9f76-gdjs-a92j-0242bk94356"}

elasticsearch:
  searchType: ${SEARCH_TYPE:- "elasticsearch"}
  host: ${ELASTICSEARCH_HOST:-localhost}
  port: ${ELASTICSEARCH_PORT:-9200}
  scheme: ${ELASTICSEARCH_SCHEME:-http}
  username: ${ELASTICSEARCH_USER:-""}
  password: ${ELASTICSEARCH_PASSWORD:-""}
  clusterAlias: ${ELASTICSEARCH_CLUSTER_ALIAS:-""}
  truststorePath: ${ELASTICSEARCH_TRUST_STORE_PATH:-""}
  truststorePassword: ${ELASTICSEARCH_TRUST_STORE_PASSWORD:-""}
  connectionTimeoutSecs: ${ELASTICSEARCH_CONNECTION_TIMEOUT_SECS:-5}
  socketTimeoutSecs: ${ELASTICSEARCH_SOCKET_TIMEOUT_SECS:-60}
  keepAliveTimeoutSecs: ${ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS:-600}
  batchSize: ${ELASTICSEARCH_BATCH_SIZE:-10}
  payLoadSize: ${ELASTICSEARCH_PAYLOAD_BYTES_SIZE:-10485760}   #max payLoadSize in Bytes
  searchIndexMappingLanguage : ${ELASTICSEARCH_INDEX_MAPPING_LANG:-EN}
  searchIndexFactoryClassName : org.openmetadata.service.search.SearchIndexFactory

eventMonitoringConfiguration:
  eventMonitor: ${EVENT_MONITOR:-prometheus}  # Possible values are "prometheus", "cloudwatch"
  batchSize: ${EVENT_MONITOR_BATCH_SIZE:-10}
  pathPattern: ${EVENT_MONITOR_PATH_PATTERN:-["/api/v1/tables/*", "/api/v1/health-check"]}
  latency: ${EVENT_MONITOR_LATENCY:-[0.99, 0.90]} # For value p99=0.99, p90=0.90, p50=0.50 etc.
  # it will use the default auth provider for AWS services if parameters are not set
  # parameters:
  #   region: ${OM_MONITOR_REGION:-""}
  #   accessKeyId: ${OM_MONITOR_ACCESS_KEY_ID:-""}
  #   secretAccessKey: ${OM_MONITOR_ACCESS_KEY:-""}

eventHandlerConfiguration:
  eventHandlerClassNames:
    - "org.openmetadata.service.events.AuditEventHandler"
    - "org.openmetadata.service.events.ChangeEventHandler"

pipelineServiceClientConfiguration:
  enabled: ${PIPELINE_SERVICE_CLIENT_ENABLED:-true}
  # If we don't need this, set "org.openmetadata.service.clients.pipeline.noop.NoopClient"
  className: ${PIPELINE_SERVICE_CLIENT_CLASS_NAME:-"org.openmetadata.service.clients.pipeline.airflow.AirflowRESTClient"}
  apiEndpoint: ${PIPELINE_SERVICE_CLIENT_ENDPOINT:-http://localhost:8080}
  metadataApiEndpoint: ${SERVER_HOST_API_URL:-http://localhost:8585/api}
  ingestionIpInfoEnabled: ${PIPELINE_SERVICE_IP_INFO_ENABLED:-false}
  hostIp: ${PIPELINE_SERVICE_CLIENT_HOST_IP:-""}
  healthCheckInterval: ${PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL:-300}
  # This SSL information is about the OpenMetadata server.
  # It will be picked up from the pipelineServiceClient to use/ignore SSL when connecting to the OpenMetadata server.
  verifySSL: ${PIPELINE_SERVICE_CLIENT_VERIFY_SSL:-"no-ssl"} # Possible values are "no-ssl", "ignore", "validate"
  sslConfig:
    certificatePath: ${PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH:-""} # Local path for the Pipeline Service Client

  # Secrets Manager Loader: specify to the Ingestion Framework how to load the SM credentials from its env
  # Supported: noop, airflow, env
  secretsManagerLoader: ${PIPELINE_SERVICE_CLIENT_SECRETS_MANAGER_LOADER:-"noop"}

  # Default required parameters for Airflow as Pipeline Service Client
  parameters:
    username: ${AIRFLOW_USERNAME:-admin}
    password: ${AIRFLOW_PASSWORD:-admin}
    timeout: ${AIRFLOW_TIMEOUT:-10}
    # If we need to use SSL to reach Airflow
    truststorePath: ${AIRFLOW_TRUST_STORE_PATH:-""}
    truststorePassword: ${AIRFLOW_TRUST_STORE_PASSWORD:-""}

# no_encryption_at_rest is the default value, and it does what it says. Please read the manual on how
# to secure your instance of OpenMetadata with TLS and encryption at rest.
fernetConfiguration:
  fernetKey: ${FERNET_KEY:-jJ/9sz0g0OHxsfxOoSfdFdmk3ysNmPRnH3TUAbz3IHA=}

secretsManagerConfiguration:
  secretsManager: ${SECRET_MANAGER:-db} # Possible values are "db", "managed-aws","aws", "managed-aws-ssm", "aws-ssm", "managed-azure-kv", "azure-kv", "in-memory", "gcp"
  prefix: ${SECRET_MANAGER_PREFIX:-""} # Define the secret key ID as /<prefix>/<clusterName>/<key>
  tags: ${SECRET_MANAGER_TAGS:-[]} # Add tags to the created resource. Format is `[key1:value1,key2:value2,...]`
# it will use the default auth provider for the secrets' manager service if parameters are not set
  parameters:
    ## For AWS
    region: ${OM_SM_REGION:-""}
    accessKeyId: ${OM_SM_ACCESS_KEY_ID:-""}
    secretAccessKey: ${OM_SM_ACCESS_KEY:-""}
    ## For Azure Key Vault
    clientId: ${OM_SM_CLIENT_ID:-""}
    clientSecret: ${OM_SM_CLIENT_SECRET:-""}
    tenantId: ${OM_SM_TENANT_ID:-""}
    vaultName: ${OM_SM_VAULT_NAME:-""}
    ## For GCP
    projectId: ${OM_SM_PROJECT_ID:-""}

health:
  delayedShutdownHandlerEnabled: true
  shutdownWaitPeriod: 1s
  healthChecks:
    - name: OpenMetadataServerHealthCheck
      critical: true
      schedule:
        checkInterval: 2500ms
        downtimeInterval: 10s
        failureAttempts: 2
        successAttempts: 1

email:
  emailingEntity: ${OM_EMAIL_ENTITY:-"OpenMetadata"}
  supportUrl: ${OM_SUPPORT_URL:-"https://slack.open-metadata.org"}
  enableSmtpServer : ${AUTHORIZER_ENABLE_SMTP:-false}
  openMetadataUrl: ${OPENMETADATA_SERVER_URL:-"http://localhost:8585"}
  senderMail: ${OPENMETADATA_SMTP_SENDER_MAIL:-""}
  serverEndpoint: ${SMTP_SERVER_ENDPOINT:-""}
  serverPort: ${SMTP_SERVER_PORT:-""}
  username: ${SMTP_SERVER_USERNAME:-""}
  password: ${SMTP_SERVER_PWD:-""}
  transportationStrategy: ${SMTP_SERVER_STRATEGY:-"SMTP_TLS"}

limits:
  enable: ${LIMITS_ENABLED:-false}
  className: ${LIMITS_CLASS_NAME:-"org.openmetadata.service.limits.DefaultLimits"}
  limitsConfigFile: ${LIMITS_CONFIG_FILE:-""}

web:
  uriPath: ${WEB_CONF_URI_PATH:-"/api"}
  hsts:
    enabled: ${WEB_CONF_HSTS_ENABLED:-false}
    maxAge: ${WEB_CONF_HSTS_MAX_AGE:-"365 days"}
    includeSubDomains: ${WEB_CONF_HSTS_INCLUDE_SUBDOMAINS:-"true"}
    preload: ${WEB_CONF_HSTS_PRELOAD:-"true"}
  frame-options:
    enabled: ${WEB_CONF_FRAME_OPTION_ENABLED:-false}
    option: ${WEB_CONF_FRAME_OPTION:-"SAMEORIGIN"}
    origin: ${WEB_CONF_FRAME_ORIGIN:-""}
  content-type-options:
    enabled: ${WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED:-false}
  xss-protection:
    enabled: ${WEB_CONF_XSS_PROTECTION_ENABLED:-false}
    on: ${WEB_CONF_XSS_PROTECTION_ON:-true}
    block: ${WEB_CONF_XSS_PROTECTION_BLOCK:-true}
  csp:
    enabled: ${WEB_CONF_XSS_CSP_ENABLED:-false}
    policy: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'"}
    reportOnlyPolicy: ${WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY:-""}
  referrer-policy:
    enabled: ${WEB_CONF_REFERRER_POLICY_ENABLED:-false}
    option: ${WEB_CONF_REFERRER_POLICY_OPTION:-"SAME_ORIGIN"}
  permission-policy:
    enabled: ${WEB_CONF_PERMISSION_POLICY_ENABLED:-false}
    option: ${WEB_CONF_PERMISSION_POLICY_OPTION:-""}
  cache-control: ${WEB_CONF_CACHE_CONTROL:-""}
  pragma: ${WEB_CONF_PRAGMA:-""}