How to set up bots when SSO is configured
In the 0.12.1 version, AIRFLOW_AUTH_PROVIDER
and OM_AUTH_AIRFLOW_{AUTH_PROVIDER}
parameters are not needed to configure how the ingestion is performed from Airflow when our OpenMetadata server is secured. This can be achieved directly from UI through the Bots configuration in the settings page.
By default, ingestion-bot
is going to be the default account used for any ingestion pipeline deployed from the UI. To set up the ingestion-bot
from UI. Go to Settings
> Bots
. In the following example we are going to show how to configure it for Google SSO, but it can apply to any SSO.
- Click on
ingestion-bot
:

Click on 'ingestion-bot'
- In case you are configuring a bot with an SSO service account for the first time, please revoke first the default auto generated JWT Token by clicking the "Revoke" button:

Revoke JWT Token
- Then, click on "Generate New Token":

Generate New Token to edit
- Select your configured SSO from the list. In this case,
Google SSO
.

Select 'Google SSO'
- Configure it with your SSO values. Ensure that the account email of your SSO matches the service account name of the bot.

Configure the ingestion-bot with your SSO values
Notes:
1. ingestion-bot
The ingestion-bot
bot is created (or updated if it already exists) as a system bot that cannot be deleted, and the credentials used for this bot, if they did not exist before, will be the ones present in the OpenMetadata configuration. Otherwise, a JWT Token will be generated to be the default authentication mechanism of the ingestion-bot
.
2. JWT Token auth mechanism
If you decide to configure a JWT Token for the authentication mechanism ensure that you have also the value http://localhost:8585/api/v1/system/config/jwks
in your publicKeyUrls
list:
- For bare metal configuration:
- For docker configuration, the value to be updated is
AUTHENTICATION_PUBLIC_KEYS
:
- In the case of kubernetes, you have to update
publicKeys
values:
3. Redeploying ingestion pipelines
When the ingestion-bot
is updated, we must redeploy our ingestion pipelines since the credentials used by the bot have been updated, and they will no longer be valid.