yujunjun/datahub
2
0
Fork 0
mirror of https://github.com/datahub-project/datahub.git synced 2025-09-17 21:20:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
datahub/metadata-ingestion/source_docs/azure-ad.md

7.4 KiB
Raw Blame History

Azure AD

For context on getting started with ingestion, check out our metadata ingestion guide.

Setup

To install this plugin, run pip install 'acryl-datahub[azure-ad]'.

Capabilities

This plugin extracts the following:

  • Users
  • Groups
  • Group Membership

from your Azure AD instance.

Extracting DataHub Users

Usernames

Usernames serve as unique identifiers for users on DataHub. This connector extracts usernames using the "mail" field of an Azure AD User Response. By default, the 'mail' attribute, which contains an email, is parsed to extract the text before the "@" and map that to the DataHub username.

If this is not how you wish to map to DataHub usernames, you can provide a custom mapping using the configurations options detailed below. Namely, azure_ad_response_to_username_attr and azure_ad_response_to_username_regex.

Responses

This connector also extracts basic user response information from Azure. The following fields of the Azure User Response are extracted and mapped to the DataHub CorpUserInfo aspect:

  • display name
  • first name
  • last name
  • email
  • title
  • country

Extracting DataHub Groups

Group Names

Group names serve as unique identifiers for groups on DataHub. This connector extracts group names using the "name" attribute of an Azure Group Response. By default, a URL-encoded version of the full group name is used as the unique identifier (CorpGroupKey) and the raw "name" attribute is mapped as the display name that will appear in DataHub's UI.

If this is not how you wish to map to DataHub group names, you can provide a custom mapping using the configurations options detailed below. Namely, azure_ad_response_to_groupname_attr and azure_ad_response_to_groupname_regex.

Responses

This connector also extracts basic group information from Azure. The following fields of the Azure AD Group Response are extracted and mapped to the DataHub CorpGroupInfo aspect:

  • name
  • description

Extracting Group Membership

This connector additional extracts the edges between Users and Groups that are stored in Azure AD. It maps them to the GroupMembership aspect associated with DataHub users (CorpUsers). Today this has the unfortunate side effect of overwriting any Group Membership information that was created outside of the connector. That means if you've used the DataHub REST API to assign users to groups, this information will be overridden when the Azure AD Source is executed. If you intend to always pull users, groups, and their relationships from your Identity Provider, then this should not matter.

This is a known limitation in our data model that is being tracked by this ticket.

Quickstart recipe

As a prerequisite, you should create a DataHub Application within the Azure AD Portal with full permissions to read your organization's Users and Groups.

You can use the following recipe to get started with Azure ingestion! See below for full configuration options.

---
source:
  type: "azure-ad"
  config:
    client_id: "00000000-0000-0000-0000-000000000000"
    tenant_id: "00000000-0000-0000-0000-000000000000"
    client_secret: "xxxxx"
    redirect: "https://login.microsoftonline.com/common/oauth2/nativeclient"
    authority: "https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000"
    token_url: "https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/token"
    graph_url: "https://graph.microsoft.com/v1.0"
    ingest_users: True
    ingest_groups: True
    ingest_group_membership: True

sink:
  # sink configs

For general pointers on writing and running a recipe, see our main recipe guide.

Configuration

Note that a . is used to denote nested fields in the YAML configuration block.

Field Type Required Default Description
client_id string Application ID. Found in your app registration on Azure AD Portal
tenant_id string Directory ID. Found in your app registration on Azure AD Portal
client_secret string Client secret. Found in your app registration on Azure AD Portal
redirect string Redirect URI. Found in your app registration on Azure AD Portal
authority string The authority is a URL that indicates a directory that MSAL can request tokens from.
token_url string The token URL that acquires a token from Azure AD for authorizing requests
graph_url string Microsoft Graph API endpoint
ingest_users bool True Whether users should be ingested into DataHub.
ingest_groups bool True Whether groups should be ingested into DataHub.
ingest_group_membership bool True Whether group membership should be ingested into DataHub. ingest_groups must be True if this is True.
azure_ad_response_to_username_attr string "login" Which Azure AD User Response attribute to use as input to DataHub username mapping.
azure_ad_response_to_username_regex string "([^@]+)" A regex used to parse the DataHub username from the attribute specified in azure_ad_response_to_username_attr.
azure_ad_response_to_groupname_attr string "name" Which Azure AD Group Response attribute to use as input to DataHub group name mapping.
azure_ad_response_to_groupname_regex string "(.*)" A regex used to parse the DataHub group name from the attribute specified in azure_ad_response_to_groupname_attr.

Compatibility

Validated against load:

  • User Count: 1000
  • Group Count: 100
  • Group Membership Edges: 1000 (1 per User)

Questions

If you've got any questions on configuring this source, feel free to ping us on our Slack!